Patterns Release Notes

info

Changes marked with ⚠️ may be breaking, have security impact, or affect user experience. Review these changes carefully, and adapt your pattern configuration as required.

How to install and use plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select the corresponding ROLLING RELEASE.

Enter the version in the Search field.

On how to use this library, see Editing Project Pattern Libraries.

Patterns 8.2505.8 Release Notes - 2025-10-30

Release information

• Build Version: 8.2505.8.2

Changes

⚠️ The image versions encoded in the patterns have been increased for all Nevis components. The version number is shown in the deployment preview in the NevisComponent and NevisDatabase resources.

You have to download the latest images and ensure that they are available in the container registry of your Kubernetes cluster. Alternatively, you can use of an older version by declaring versions in the inventory.

Identity Management

• PAT-960: Fixed a minimum version check for nevisIDM in Kubernetes deployment.
• PAT-969: Fixed a bug when using an expression that ends with the String Endpoint in nevisDataPorter Instance.

Patterns 8.2505.7 Release Notes - 2025-09-25

Release information

• Build Version: 8.2505.7.5

Changes

General

• ⚠️ PAT-968: Fixed generation of the sslmode parameter when using PostgresSQL in Java-based components.
  • the parameter must be called sslmode when using PostgresSQL and sslMode when using MariaDB.
  • this change can be breaking as downgrade to plain connections is prevented when enabling TLS encryption.
  • if you need a plain connection you may have to adapt your database pattern configuration.

Authentication

• PAT-966: Fixed Generic nevisAuth Web Service pattern to generate all Method elements.
• PAT-958: Improved help of nevisAuth Database pattern.
  • The parameter syncPullInitial is supported by the RemoteSessionStore only, and thus it has to be prefixed with session:.
• PAT-967: Avoid warning for unused template when using the nevisProxy Renderer.

Identity Management

• PAT-960: Added a minimum version check for nevisIDM Second-factor Selection in Kubernetes deployments.
  • The pattern generates a ScriptState which calls a new nevisIDM REST endpoint to get timezone information.

Mobile Authentication

• PAT-965: Support using Kubernetes secrets for Android Service Account and iOS DeviceCheck Key.

Patterns 8.2505.6 Release Notes - 2025-08-29

Release information

• Build Version: 8.2505.6.2

Changes

Application Protection

• PAT-944: Rephrased pattern help related to the prefix:/ path syntax in application patterns.
• PAT-943: Ensure the exclude-url-regex entry is added to inherited filter-mapping elements for filters with the purpose of session tracking.
  • This prevents multiple filters with a similar purpose (e.g., authentication) in the chain.
• PAT-943: Ensure exclude-url-regex requirements in Generic Application / Virtual Host Settings overrule the requirements of other patterns.
  • This allows for full control in case customization is required.
• PAT-947: Fixed missing OPENSSL_ENGINE environment variable for the Securosys HSM PKCS#11 integration.

Authentication

• PAT-949: Added support for assigning a step for the unlock method in the Authentication Realm pattern.
  • Settings for the LoginRendererServlet will be provided in the November 2025 release. If you needed to patch this servlet, Generic Virtual Host Settings has to be used for now.

Identity Management

• ⚠ PAT-929: Fixed the nevisIDM Second Factor Selection pattern.
  • The pattern now uses the timezone of nevisIDM for validity checks.
  • This change requires the latest version of nevisIDM. In case of Kubernetes deployment, the version of the nevisIDM service has to be set in the inventory.

Mobile Authentication

• PAT-952: Updated FIDO UAF metadata.
  • Android will start using new root certificates in February 2026; therefore, the metadata file for FIDO UAF Full Basic Attestation was updated.
• PAT-950: Relaxed validation for the Client ID in the nevisFIDO UAF Instance.
  • ⚠ For technical reasons, the pattern In-band Mobile Registration Service requires a Client Name to be configured as well.
  • Added warning and info messages to highlight potential configuration mistakes.

Patterns 8.2505.5 Release Notes - 2025-08-08

Release information

• Build Version: 8.2505.5.5

Changes

General

• IP-988: Get rid of warning when using a k8s-secret:// reference in pattern settings that require a path to be configured.
• PAT-920: Improve warning messages related to minimal canary deployment.
• PAT-909: Database patterns now have a tab Connection Pool to configure pool size and timeouts.
  • ⚠️ The nevisAdapt Database and nevisDetect Database patterns have a breaking change as a drop-down had to be removed. If you had selected any option, clear it and configure the settings in the Connection Pool tab instead.

Application Protection

• PAT-912: Prevent escaping : in k8s-secret:// references in generated nevisProxy filters. These references are replaced during deployment inside the cluster.
• PAT-897: Improved generation of PostgreSQLSessionStoreServlet by removing unsupported init-param elements.
• PAT-725: Support ${var. expressions for patching Host element.

Authentication

• PAT-934: Support nested Mapping elements for Method elements in Generic nevisAuth Web Service.
• PAT-916: Reduced severity for missing assignment of nevisAuth Database to info level in classic deployment:
  • Load balancing from nevisProxy to nevisAuth is session sticky in classic, and thus it may be acceptable to run nevisAuth without a remote session store. Of course, you risk session loss and errors during stepup for some users when their nevisAuth instance goes down.
• PAT-922: Fix embedded HTML elements in nevisLogrend JSON rendering.
• N/A: Simplified how the inline button is represented in the Gui descriptor generated by the Dispatcher Button pattern.
  • This change is not breaking, but it may lead to a different rendering of the button in some cases.
• PAT-929: Second-Factor Selection pattern now calculates time zone difference between nevisIDM REST output and nevisAuth server time by using nevisIDMs new Timezone endpoint.
  • ⚠️ This change requires nevisIDM version 8.2505.5 or later.

Identity Management

• PAT-903: Fixed missing button for On Cancel for nevisIDM Second-Factor Onboarding.
• PAT-902: The nevisIDM Terms & Conditions Acceptance pattern now filters the terms by selected profile.

Mobile Authentication

• PAT-921: Removed unnecessary entries from FIDO UAF Metadata.
• PAT-904: Fixed error handling for Usernameless Out-of-band Mobile Authentication and new On Failure exit.
• PAT-930: Update default metadata for nevisFIDO UAF Instance to support new authenticators for Android.

FIDO2 Passwordless

• IP-988: Support passkey autofill for users with multiple profiles

Patterns 8.2505.4 Release Notes - 2025-06-25

Release information

• Build Version: 8.2505.4.3

Changes

General

• PAT-901: Prevent deployment error when cert is expired.

Application Protection

• PAT-926: Fix unused pattern issue for Generic Application Settings assigned to Hosting Service.
• PAT-897: Removed unsupported init-param elements for PostgreSQLSessionStoreServlet.

Authentication

• PAT-893: Added missing mime-type for JSON to nevisLogrend.
• PAT-893: New setting Custom MIME Types in nevisLogrend Instance pattern to add or overwrite MIME types.
• PAT-888: Always generate ManagementService for esauth4.xml to ease integration with nevisAdapt.
• NEVISAUTH-5167: Refactor generation of patterns that render a button in authentication flows.
  • Dispatching did not work for Dispatcher Button when:
    • Button Type is set to inline,
    • the pattern is assigned to nevisIDM User Lookup,
    • and Remember Input and Passkey Autofill were disabled in the nevisIDM User Lookup pattern.
  • Instead of producing 1 GuiElem and including HTML in the label, the inline variant now generates 2 GuiElem elements. This simplifies the dispatching logic and avoids errors (e.g., because of input validation and AuthState execution).
  • This change also sets the groundwork for setups where labels shall be translated in nevisLogrend instead of nevisAuth.

Identity Management

• PAT-903: Fixed missing button for On Cancel for nevisIDM Second-Factor Onboarding

Adaptive Authentication

• IP-771: Improved lookup of user and client extId in User Notification (Adaptive Authentication) pattern.

SAML / OAuth / OpenID Connect

• PAT-900: Fixed false warnings for Generic Social Login Step pattern.
• PAT-896: New settings to configure the handling for dispatching errors in SAML IDP.

Mobile Authentication

• PAT-900: Fixed false warnings for nevisFIDO Instance pattern.
• PAT-884: Fixed error due to missing port in proxy-url in nevisfido.yml.
• PAT-890: Fixed error in In-band Mobile Authentication Realm when using a custom nevisIDM client.
• PAT-899: Additional settings for Full Basic Attestation.

Patterns 8.2505.3 Release Notes - 2025-05-21

Release information

• Build Version: 8.2505.3.14

info

This release includes the changes of the internal releases 8.2505.2 and 8.2505.1. Please read those release notes as well.

Changes

info

The development of new, advanced use cases made the patterns more interconnected. For instance, the nevisIDM User Lookup pattern now supports Passkey Autofill which requires assignment of a nevisFIDO FIDO2 Instance.

This does not mean that it is now always required to also select the nevisadmin-plugin-fido2 when using the nevisadmin-plugin-nevisidm. You only have to do that if you use this feature.

As a consequence, we will rearrange the subsections to describe the changes. Most patterns for building authentication flows are described in the Authentication section. Authentication step patterns that connect to nevisIDM are now also described there.

For changes related to passwordless authentication see the Mobile Authentication and FIDO2 Passwordless sections.

General

• PAT-826: Add always_on to sampler to ensure OpenTelemetry traceId is always generated.

Authentication

• ⚠️ We replaced the default Login Template with a more modern design
  • If you notice any screen rendering issues in combination with your custom AuthState configuration, please contact support.
  • You can also opt out of this change by setting Default Template to classic in the realm pattern.
  • The new template uses a ?v parameter for referenced resources (e.g., CSS, JavaScript, images) to avoid caching issues.
• PAT-863: New Reset Session Step pattern.
• PAT-811: Support setting custom properties in Kerberos Login pattern.
• PAT-844: Do not filter out terms with silentAcceptance in nevisIDM Terms & Conditions Acceptance pattern.
• IP-700: Improved display of OATH Onboarding and OATH Authentication.
• IP-683: New nevisIDM Recovery Code Onboarding & nevisIDM Recovery Code Authentication patterns.
• IP-697: New experimental setting for inline display of the button as a link in Dispatcher Button pattern.
  • This mode is not supported in all places yet.
  • If you would like to this feature, and it does not work for you, contact support.
• ⚠️ PAT-867: Deprecated Remember Input setting
  • This feature does not work in all scenarios and was therefore marked for removal in the Nov 25 release.
  • A warning message will be displayed when the setting is enabled.
• PAT-839: Added domain to default SecToken fields to ease integration with nevisAdapt.
• ⚠️ PAT-872: Align naming of button labels
  • login.social.generic.button.label -> login.social.button.label
  • mobile_auth.cancel.button.label -> cancel.button.label
  • fido2.cancel.button.label -> cancel.button.label
  • If you have changed the translation for any of those labels, check that the new label is translated as required.
• IP-704: Ensure roles are always fetched the generated IdmGetPropertiesState.
• N/A: Added support for buttons to nevisIDM Second-Factor Onboarding pattern.
• PAT-840: Fixes for nevisIDM Terms & Conditions Acceptance pattern
  • The Groovy script generated by the pattern did not work when the user had multiple terms to accept.
• IP-706: Added optional user property update to nevisIDM User Update pattern.

Identity Management

• PAT-842: Support exposure of REST API for use by nevisIDM Administration GUI when the project contains nevisIDM REST Service pattern and domains differ.
• PAT-837: Add env.conf upload possibility to nevisDataPorter Instance pattern.

Adaptive Authentication

• NEVISDETECT-2113: New experimental pattern nevisAdapt Risk Calculation Step with minimal setting options and no persistence.
• IP-665: new setting allows nevisAdapt Authentication Connector to opt out of assigning it to the logout flow.

SAML / OAuth / OpenID Connect

• N/A: Fixed a generation failure caused by Generic Social Login Step.
• PAT-865: Improved handling of invalid requests in the dispatcher script generated by the SAML IDP pattern.
• PAT-841: Improved error handling in OAuth 2.0 Authorization Server / OpenID Provider.
• PAT-782: Allow disabling role re-assignment for SAML IDP Connector pattern in case SP does not belong to Nevis.
• PAT-794: Added setting to configure old signer to support certificate rollover for OAuth 2.0 Authorization Server / OpenID Provider.
• PAT-812: Only require IDP Signer Trust Store when Signature Validation is not none.
• PAT-790: Support PKCE config for RelyingParty and OAuth2Client states.

Mobile Authentication

• PAT-861: Add support for App Attestation for iOS and Android to the nevisFIDO UAF Instance pattern.
• PAT-878: Outbound proxy support for App Attestation connections.
• PAT-860: Add support for usage of nevisProxy Login Renderer in In-Band Mobile Authentication Realm.
• PAT-873: Add connection pool settings to nevisFIDO UAF Database pattern.
• PAT-858: New setting Push Message Timeout on nevisFIDO UAF Instance to configure the lifetime of a push message on the Google and Apple push servers.
• PAT-836: New setting Full Basic Attestation - Android Permissive Mode in nevisFIDO UAF Instance pattern.

FIDO2 Passwordless

• PAT-873: Add connection pool settings to nevisFIDO FIDO2 Database pattern.
• PAT-855: Support for Passkey autofill in nevisIDM User Lookup pattern.
• PAT-868: Support optional nevisIDM policy ID configuration in nevisFIDO FIDO UAF Instance pattern for UAF and generic dispatch target credentials.
• ⚠️ PAT-832: Improved support for FIDO2 Metadata in nevisFIDO FIDO2 Instance pattern:
  • It is now possible to fetch the metadata from a remote metadata service, e.g., https://mds3.fidoalliance.org/
  • The default is backward compatible, but we recommend to check the settings in the FIDO2 Metadata tab and configure the metadata as desired.

Kubernetes

• NEVISADMV4-10220: Support for minimal canary deployment
• ⚠️ IP-669: Improved defaults for Startup Probe Delay:
  • nevisMeta: 30s
  • nevisDetect: 30s
  • nevisLogrend: 30s
  • nevisAuth: 50s
  • nevisFIDO: 30s
  • nevisDP: 30s
  • nevisIDM: 60s
  • nevisProxy: 30s
  • nevisAdapt: 60s

Patterns 8.2505.2 Release Notes - 2025-04-01

Release information

• Build Version: 8.2505.2.12

info

This is an internal release. Use the latest available version on the Nevis Portal instead. The changes described will all be included.

Changes

• PAT-848: Improved error handling when email address is incorrect in nevisIDM User Create pattern.
• PAT-845: Fixed handling of the password policy violations in nevisIDM Change Password pattern.
• PAT-850: New settings for ingress generation in the Virtual Host pattern.

Patterns 8.2505.1 Release Notes - 2025-03-05

Release information

• Build Version: 8.2505.1.2

info

This is an internal release. Use the latest available version on the Nevis Portal instead. The changes described will all be included.

Changes

General

• ⚠️ NEVISADMV4-10472: Upgrade nevis-git-init version to 1.4.0.
• PAT-768: Prevent misleading error message on existing user signup in Simple Sign-in / Sign On Template.
• PAT-826: Add otel.traces.sampler=always_on to ensure the trace ID always exists in Java components.
• ⚠️ PAT-823: Update default image versions to 8.2505.1.

Application Protection

• PAT-822: The Generic nevisProxy Instance Settings pattern can now customize nevisProxy OpenTelemetry settings.
• PAT-800: Fixed the paranoia level generation with the new CRS 4.7.0 version. It now uses the blocked_paranoia_level variable.
• PAT-779: Updated navajo.dtd to latest.
• NEVISPROXY-7487: Add ProgName again to restore trace ID.
• PAT-785: Added Trailing Slash Redirect setting to Virtual Host pattern.

Authentication

• PAT-793: Added Session Cookie Validity Timeout setting to realm patterns.
• PAT-789: Support configuration of connectionMinPoolSize in nevisAuth.
• PAT-780: change the default memory limit and request for nevisAuth.
• PAT-851: Added custom session parameters to the realm patterns.

Identity Management

• PAT-827: Fixed nevisIDM Audit log forwarding to Syslog server.
• PAT-770: nevisIDM Authorizations pattern now handles fine-grained authorizations for UserModify and UserSearch.

SAML / OAuth / OpenID Connect

• PAT-772: New settings Valid Authorization Request Authentication Required and Authentication Successful Without Login for OAuth 2.0 Authorization Server / OpenID Provider.
• PAT-829: Remove unused database.type property for nevisMeta.
• PAT-557: New pattern OAuth 2.0 / OpenID Connect Dynamic Client Registration Endpoint.
• NEVISMETA-2079: Add ?logout handler for nevisMeta Web Console to prevent broken UI.
• PAT-788: Improve URL syntax handler for IDP URL setting to allow usage of expressions.

Mobile Authentication

• NEVISACCESSAPP-6256: Improve device request timeout documentation.
• PAT-792: Use nevisIDM REST API only in nevisFIDO UAF Instance.
• PAT-714: Support Proxy User and Proxy Password for Firebase connection.

FIDO2 Passwordless

• PAT-828: New setting User Presence Requirement for nevisFIDO FIDO2 Instance.
• ⚠️ PAT-736: The nevisFIDO FIDO2 Instance now allows protecting FIDO2 onboarding operations with a SecToken.
• ⚠️ PAT-820: Extended Signature Algorithms for nevisFIDO FIDO2 Instance and changed the default.
• PAT-819: Allow UUIDs in nevisFIDO FIDO2 Instance pattern for nevisIDM Client ID.

Patterns 8.2505.0 Release Notes - 2025-02-07

Release information

• Build Version: 8.2505.0.12

info

This is an internal release. Use the latest available version on the Nevis Portal instead.

Changes

Authentication

• ⚠️ PAT-805: Realm patterns now use a new template for GUI rendering.
  • This may impact existing setups. Please test your use cases to ensure they work as expected.
  • You can opt out of this change by selecting the classic template in your authentication realm.
• PAT-816: Improved logging.yml of nevisAuth. The following log categories are not set by default anymore:
  • org.apache.catalina.loader.WebappClassLoader
  • org.apache.catalina.startup.HostConfig
  • ch.nevis.esauth.events
• PAT-817: Fix nevisAuth events logging
  • Log messages appeared in esauth4sv.log instead of nevisauth-events.log.
  • Log messages were prefixed by OpenTelemetry traceId and spanId, corrupting the JSON format.
• PAT-815: New patterns to patch XML elements in esauth4.xml of nevisAuth
  • nevisAuth Domain Patch: use to patch the Domain element generated by a realm pattern.
  • nevisAuth Entry Patch: assign to nevisAuth Domain Patch to add, patch, or remove an Entry element in that Domain.
  • AuthState Patch: use to patch an AuthState generated by another pattern.
  • These patterns are experimental. Use them only if there is no other way to generate the configuration as required and consider opening a support ticket if you need further features.
• ⚠️ PAT-803: Changed the code the user has to enter when Testing Mode is enabled in Email TAN and Mobile TAN patterns
  • This is a breaking change when Testing Mode is enabled as now 111111 has to be entered.
  • The code now matches the TAN Format that can be configured via Advanced Settings.
  • To use the previous code of AAAAA set the TAN Format to 5 letters.
• PAT-813: Support k8s-secret in Generic SMTP pattern.
• PAT-806: Changed order of buttons produced by authentication steps
  • The primary button is now shown first.
  • The order was inconsistent across steps.
  • Most steps use a Gui descriptor element in the esauth4.xml to define the GUI. However, some patterns use a Groovy script instead. You can expect changes in any of these places. We suggest to check the deployment preview.
  • A setting Button Order has been added to the Advanced Settings of step patterns where this leads to a change of order. Select reverse to opt out. The patterns are:
    • nevisIDM User Lookup
    • Email TAN
    • Mobile TAN
    • User Input (multiple fields)

Patterns 8.2411.1 Release Notes - 2025-01-30

Release information

• Build Version: 8.2411.1.5

Changes

General

• PAT-686: Align polling frequency and timeouts for Kubernetes health checks for all components.

Application Protection

• PAT-785: Added Trailing Slash Redirect setting to the Virtual Host pattern.
• PAT-764: The Generic QoS Configuration (mod_qos) pattern is no longer experimental.
• NEVISPROXY-7487: Fixed missing program name in nevisProxy logs.
• NEVISPROXY-7273: The Generic Application Settings and Generic Host Context Settings patterns now remove leading and trailing spaces from several XML elements. Previously, spaces could lead to an incorrect configuration, such as duplicated (and truncated) filters or servlets, or duplicated mappings. The following XML elements are now trimmed:
  • filter-name
  • filter-class
  • filter-mapping
  • url-pattern
  • servlet-name
  • servlet-class
  • servlet-mapping
  • param-value

Authentication

• PAT-789: Support configuration of connectionMinPoolSize in nevisAuth Database / Custom Attributes.
• PAT-784: Remove incorrect warning about deprecation of keystoreref for DynCert AuthState.
• PAT-798: Improved email validation in Email Input Field pattern.
• PAT-799: Set DynamicRoleAcquire.CheckRoleRemoval to false in SecurityRoleFilter elements which are used to issue application access tokens.
  • The previous value of true triggers a stepup on each request which impacts performance.

Identity Management

• PAT-801: Fixed check for FIDO2 credentials in nevisIDM Second-Factor Selection pattern.

SAML / OAuth / OpenID Connect

• PAT-788: Fix URL validation for IDP URL in SAML IDP Connector.

Mobile Authentication

• PAT-714: Support Proxy User and Proxy Password for Firebase connection.

FIDO2 Passwordless

• PAT-804: Improved validations for FIDO2 patterns.

User Behavior Analytics

• NEVISDETECT-2015: Fix ojdbc deployment for nevisAdapt and nevisDetect.

Patterns 8.2411.0 Release Notes - 2024-11-20

Release information

• Build Version: 8.2411.0.15

Changes

General

• PAT-762: Fixed a bug in Generic Deployment which caused unknown files in nested sub-folders to be deleted, even when Path: Delete Unknown Files is set to disabled.
• NEVISADMV4-9763: Added new logger ProductAnalytics to Nevis components.
  • The logger is enabled by default, it can be disabled by setting the log level to WARN or ERROR.

Application Protection

• ⚠️ PAT-750 / PAT-754: Refactored the nevisProxy Observability Settings pattern:
  • Renamed the Trace Resource Service Name parameter and moved it to the Basic Settings tab.
    • This setting now controls the service.name key-value pair resource attribute for both Metrics Mode and Trace Mode.
  • Removed the experimental label from the pattern.
  • New settings: Sampler, Deployment Environment, Capture Request Headers, Capture Response Headers
• ⚠️ PAT-751: Added CRS version 4.7.0 to the OWASP ModSecurity CRS Version setting in the Virtual Host pattern.
  • The oldest, unsupported CRS version 3.0.2 was removed.
• PAT-734: Added Default File setting to the Hosting Service pattern.
• PAT-678: Added a default template for Proxy Login Renderer.
• ⚠️ PAT-650: Added the setting SOAP Schema Validation Mode to the SOAP Service pattern.
  • The default mode is content-type, where the SOAP service only analyses requests with Content-Type application/soap+xml.
  • Select enabled to analyse all requests with a body.
  • Select strict to analyse all requests, which was the previous behaviour.
• PAT-688: We fixed an unexpected error when using a variable for the Public Key of the JWT Access Restriction pattern.
• ⚠️ PAT-755: We improved the Maintenance Page pattern:
  • The Update Interval is now configurable.
  • The pattern now includes its sanitized name in the names of the generated MaintenanceFilter and DefaultServlet.
    • This prevents naming collisions, and allow linking multiple Maintenance Page patterns to a single Virtual Host or Application.
    • Check your configuration if you use Generic Application Settings or Generic Virtual Host Settings to customize your MaintenanceFilter or the related DefaultServlet.
• PAT-759: The SOAP Service pattern can now be attached to several Virtual Host patterns even when SOAP Schema Validation files are configured.
• NEVISPROXY-7253: The HTTP Error Handling pattern now also replaces placeholders in JSON error pages.
  • This also applies to the default ErrorFilter that is generated by the Virtual Host.

Authentication

• PAT-756: Set -Dotel.instrumentation.metro.enabled=false for nevisAuth.
  • OpenTelemetry does not support tracing of these SOAP calls.
• ⚠️ PAT-710: Apply Custom Attributes to RemoteOutOfContextDataStore as well.
  • If you have attributes that should only be applied to the RemoteSessionStore use the prefix session: in the attribute name.
• PAT-707: Support configuration of number of worker threads for nevisAuth.
• PAT-693: Updated JWT Token pattern to be compatible with latest nevisAuth release.

Identity Management

• PAT-507: Support upload of additional resources for nevisDataPorter Instance.
• PAT-704: NevisIDM Second Factor pattern now validates if the found credentials are active and during their validity period.
• PAT-722: The nevisIDM Authorizations pattern now adds default values to Roles where no setting is defined in the pattern.
• PAT-722: The nevisIDM Authorizations pattern now accepts MultiClient authorization as well.
• PAT-726: Password validation displays error correctly when using Self-Registration flow in Simple Sign-in / Sign On Template
• PAT-743: Added SYSLOG formatting option for nevisIDM's batch log.
• PAT-745: Created pattern for nevisIDM Create Credential AuthState.
• PAT-763: Path of password reset in nevisIDM Password Login automatically added to the Allowed Application paths.
• PAT-770: nevisIDM Authorizations pattern now handles fine-grained authorizations for UserModify and UserSearch authorization.

SAML / OAuth / OpenID Connect

• PAT-753: New setting Remove Empty Claim(s) In Token in OAuth 2.0 Authorization Server / OpenID Provider.
• PAT-701: Updated the translation text for the OAuth2 / OpenID Connect consent screen.
• PAT-744: Fixed invalid generation of nevisIDM HttpClient in Social Login patterns.
• PAT-742: The IDP URL in the SAML IDP Connector now supports EL expressions.
• PAT-716: Fixes in SAML patterns to support logout message via SOAP.

FIDO2 Passwordless

• PAT-729: Support Authenticator allow-listing in nevisFIDO FIDO2 Instance.

Mobile Authentication

• PAT-541: Configuration of fido-uaf.timeout.device-request.
• PAT-730: Support for Android Key Attestation (FIDO UAF Full Basic Attestation).
• PAT-735: Updated default metadata file to support both RSA and new EC algorithms for Android UAF authenticators.
• PAT-748: Support REST-only usage of nevisIDM in nevisFIDO.
• PAT-694: Add new wildcard facetID entries to replace the old specific values.
• PAT-618: New pattern nevisFIDO UAF Device Service.
• PAT-739: Support assignment of nevisFIDO UAF Connector in Out-of-band Mobile Onboarding pattern.
• NEVISAUTH-4768: The mobile authentication JavaScripts now only schedule a single polling request at a time, preventing “parallel polling” in the same session.

User Behavior Analytics

• ⚠️ NEVISDETECT-1874: nevisAdapt patterns were moved to a new nevisAdmin4 plugin: nevisadmin-plugin-nevisadapt.
  • The package name of all related patterns changed, so it is important to run the automatic migrations script to avoid errors.
  • Make sure that the new package is enabled when setting up a project with nevisAdapt.
• ⚠️ NEVISDETECT-1954: observation timeframe inside nevisAdapt Instance was moved to its own pattern along with other cleanup related timeframes which can be linked into nevisAdapt Instance.
  • The automatic migration script takes care of this change if any specific value was set in the original project.

Patterns 8.2405.3 Release Notes - 2024-10-17

Release information

• Build Version: 8.2405.3.0

Changes

Identity Management

• ⚠️ PAT-749: Modified the nevisIDM Password Login pattern to verify whether the URL from which the login page is opened in the Password Reset use case is startable. The new functionality can be fine-tuned using Redirection Path Validation Mode, Application Path Fallback, and Custom Redirection Path Validation Regexes properties in the Password Reset tab of the pattern. If new line or carriage return characters can appear in your protected URL paths, fine-tuning of the settings may be required, as the new default settings block them.

Patterns 8.2405.2 Release Notes - 2024-08-30

Release information

• Build Version: 8.2405.2.0

Changes

Identity Management

• PAT-722: The nevisIDM Authorizations pattern now adds default values to Roles where no setting is defined in the pattern.
• PAT-722: The nevisIDM Authorizations pattern now accepts MultiClient authorization as well.
• PAT-726: The nevisIDM Password Create pattern now correctly checks passwords.

Patterns 8.2405.1 Release Notes - 2024-07-25

Release information

• Build Version: 8.2405.1.x

Changes

General

• PAT-706: Replace nested ${var expressions in patterns that support referencing inventory variables.

Application Protection

• PAT-688: Fixed an unexpected error when using a variable for the Public Key of the JWT Access Restriction pattern.

Authentication

• PAT-710: Apply Custom Attributes to RemoteOutOfContextDataStore as well
  • ⚠️ If you have attributes that should only be applied to the RemoteSessionStore use the prefix session: in the attribute name.

Identity Management

• PAT-507: Upload of additional resources for nevisDataPorter Instance.

SAML / OAuth / OpenID Connect

• PAT-716: Adapted the Groovy script used by SAML patterns to extract SOAP single logout messages.

Patterns 8.2405.0 Release Notes - 2024-05-15

Release information

• Build Version: 8.2405.0.6

Changes

General

• ⚠️ The image version encoded in the patterns has been raised to 8.2405.0 for all components. If you are deploying to Kubernetes you have to push all required images to your container registry before deployment.
• PAT-639: Added Deployment Environment drop-down to Java Observability Settings pattern.
• PAT-657: Ensure errors caused by uploaded XML files are shown in the pattern where the file is uploaded.
• PAT-675: Fixed duplicate Java agent configuration in env.conf when using Java Observability Settings pattern.
• PAT-667: Support generation of otel configuration based on inventory variables.
• ⚠️ PAT-660: Support 2-way TLS with PostgreSQL for Java components.
  • The value enabled does not exist anymore, and you have to select a different value. We recommend to use verify-ca or verify-full in combination with a Trust Store instead.
• ⚠️ PAT-631: Kubernetes deployments will now use startup probes to allow for longer startup times.
  • Additionally, the used liveness and readiness probe timings were tightened and the liveness and readiness delay configuration options were removed.
  • Make sure to upgrade to the latest version of the nevisOperator and its corresponding CRDs before deploying with the new plugin version.

Application Protection

• PAT-547: The generated dynamic SecurityRoleFilter won’t store the intercepted requests by default anymore.
• PAT-651: The StateKey parameter is no longer generated for SecurityRoleFilter.
• PAT-651: Added option to configure custom parameters for the SecurityRoleFilter in realms.
• ⚠️ PAT-659: Support 2-way TLS with PostgreSQL for nevisProxy.
  • The value enabled does not exist anymore, and you have to select a different value. We recommend to use verify-ca or verify-full in combination with a Trust Store instead.
• PAT-658: Updated navajo.xml generation to match the latest navajo DTD version.
• PAT-674: Fix error during background generation when using a nevisAdmin ${var expression and using only a variable as param-value in a servlet or filter in Generic Virtual Host Settings or Generic Application Settings.

Authentication

• PAT-673: Support configuration of arbitrary KeyObject elements by allowing the nevisAuth KeyObject pattern to be assigned to nevisAuth Instance.
• PAT-673: Support configuration of property elements for KeyObject in nevisAuth KeyObject pattern.
• PAT-669: Support configuration of custom Audit channels for nevisAuth.
• PAT-657: Support child Mapping for Method in Generic nevisAuth Web Service.
• PAT-652: New setting Shared Groovy Scripts on nevisAuth Instance.
• PAT-642: Fix requirement clash when reusing JSON Response Step.
• N/A: Fixed corrupted binary files being deployed when uploading them to Custom Resources in nevisAuth Instance.

Identity Management

• PAT-680: For permissions related to credentials (such as CredentialChangeState, CredentialCreate, CredentialDelete, CredentialModify, CredentialPdfView, CredentialSearch, CredentialView, and CredentialViewPlainValue), it is now allowed to reduce the elementary permission to a specific credential type. Example: CredentialCreate.PASSWORD
• PAT-663: Avoid file clash when creating the same nevisIDM property with different scopes.

Mobile Authentication

• ⚠️ PAT-668: The following 2 values have been removed from the default facets in nevisFIDO UAF Instance:
  • android:apk-key-hash:z7Xkw62dAn/BsckOQ9a3OMhmlwhzdr2VkcswIIyJgJE
  • ios:bundle-id:ch.nevis.accessapp.presales.k8s
• PAT-641: Fix HTTP connection to nevisFIDO for Out-of-band Mobile Onboarding.

SAML / OAuth / OpenID Connect

• PAT-644: Allow to configure no scopes for Generic Social Login Step.
• PAT-643: Fix error when Schema User Password is missing in classic deployment.
• ⚠️ PAT-635: The Scope(s) that can be configured in Social Login patterns (Apple, Google, Facebook, Microsoft) have been adapted.
  • If you use any of these patterns check the configuration of your pattern. See help for Scope(s) for details.

User behavior analytics

• NEVISDETECT-1827: updated nevisAdapt Demo app in the template.
• NEVISDETECT-1831: Added option to disable private IP filtering and configure default country code in that case.
• NEVISDETECT-1834: Added option to enable Apache Hostname Verifier under nevisAdapt Instance / Advanced Settings.
• NEVISDETECT-1835: Added option to disable nevisAdapt analyzers, either on module or analyzer level.

Patterns 7.2402.2 Release Notes - 2024-10-17

Release information

• Build Version: 7.2402.2.3

Changes

Authentication

• PAT-670: We added the disabled and CUSTOM options to session tracking.
• PAT-669: We extended the nevisAuth Log Settings pattern to allow configuration of custom audit services.

Identity Management

• ⚠️ PAT-749: Modified the nevisIDM Password Login pattern to verify whether the URL from which the login page is opened in the Password Reset use case is startable. The new functionality can be fine-tuned using Redirection Path Validation Mode, Application Path Fallback, and Custom Redirection Path Validation Regexes properties in the Password Reset tab of the pattern. If new line or carriage return characters can appear in your protected URL paths, fine-tuning of the settings may be required, as the new default settings block them.

Patterns 7.2402.1 Release Notes - 2024-03-08

Release information

• Build Version: 7.2402.1.3

Changes

General

• ⚠️ The 7.2402.1 patch release of Nevis includes new docker images. You have to download these as well. The image version encoded in the pattern has been raised to 7.2402.1 for all components which are part of this release:
  • nevisproxy
  • nevisidm
  • nevismeta
  • nevisfido
  • nevisdp

Authentication

• N/A: Fixed corrupted binary files being deployed when uploading them to Custom Resources in nevisAuth Instance.
• PAT-642: Fix requirement clash when reusing JSON Response Step.
• PAT-652: New advanced setting Shared Groovy Scripts on nevisAuth Instance.
• ⚠️ PAT-654: The default maximum session lifetime has been reduced to 8 hours. This was done to align the realm pattern with the defaults of nevisAuth. The original value of 12 hours has the benefit that sessions for end-users logging into an office account only have to log in once during a business day with the drawback of generating more, longer lasting sessions overall. If you want to go back to the “once a day login”, simply set the maximum session lifetime back to 12 hours in your realm patterns.
• PAT-657: Support child element Mapping for Method element in Generic nevisAuth Web Service pattern.
• PAT-657: Ensure errors caused by uploaded XML files are shown where the XML file is uploaded.

Mobile Authentication

• PAT-641: Fix HTTP connection to nevisFIDO for Out-of-band Mobile Onboarding.

Patterns 7.2402.0 Release Notes - 2024-02-21

Release information

• Build Version: 7.2402.0.7

Changes

General

• PAT-576: Adapted the default log format of all components to include the trace_id and span_id provided by OpenTelemetry. If OpenTelemetry is disabled, the log format will still work but these IDs will be missing.
• PAT-599: Fixed duplication within JAVA_OPTS when using space as a separator.
• PAT-607: Support tracing with OpenTelemetry out of the box by loading the agent by default.

Application Protection

• PAT-492: Added setting Overwrite Status Codes in the Error Handling pattern.
• PAT-520/PAT-585: Support serving content from subdirectories in Hosting Service pattern.
• PAT-572: Added Country IP filtering to the Access Restriction nevisProxy pattern.
• PAT-600: Added Liveness Delay, Readiness Delay and Probe Periodicity settings to the nevisProxy Instance pattern.
• ⚠ PAT-621: Updated the generation of the AutoRewrite init-param for the Http(s)ConnectorServlet to the supported values.
• NEVISPROXY-6945: Updated the nevisProxy Observability Settings pattern to generate the OpenTelemetry configuration in navajo.xml instead of the TelemetryFilter. The pattern settings stay the same.
• ⚠ NEVISPROXY-6945: Removed the Virtual Host Observability Settings pattern. Due to the refactoring of the OpenTelemetry integration in nevisProxy, the configuration now applies to the whole instance.

Authentication

• ⚠️ PAT-364: Updated the generation of the RenewIdentification init-param for the IdentityCreationFilter to its new Boolean type.
• PAT-574: Support resolving inventory variables in resources uploaded to Generic Authentication Step.
• PAT-578: Added session setting Update Session Timestamp Interval in realm patterns.
• PAT-594: Added setting to configure init-param values for Esauth4ConnectorServlet in realm patterns.
• PAT-608: Improve issue text when attempting to configure -Dfile.encoding. Only UTF-8 is allowed.
• PAT-609: Support connectionMaxLifeTime configuration.
• PAT-610: Removed lodash.js from pattern JAR as it is unused.
• PAT-628: Support dynamic expressions in JSON Response Step.

Identity Management

• PAT-579: Improved nevisIDM Custom Property pattern help.
• PAT-611: Adapted nevisIDM URL Ticket Consume to not consume ticket with reload or language change.
• PAT-615: Extend nevisIDM User Lookup pattern with Buttons setting.
• PAT-620: Support 2-way TLS for nevisIDM Database.
  • ⚠️ The value enabled does not exist anymore, and you have to select a different value. We recommend to use verify-ca or verify-full in combination with a Trust Store instead.

Mobile Authentication

• PAT-601: Transaction Confirmation now exposes the /nevisfido/token/dispatch/authentication endpoint.
• PAT-632: Use nevisIDM SOAP service version v1_46 because of new requirements in mobile authentication.
• PAT-663: Expose new nevisFIDO endpoints /nevisfido/devices/credentials and /nevisfido/devices/oobOperations in mobile auth patterns.

SAML / OAuth / OpenID Connect

• PAT-562: Improved Hosting Service configuration in Social Login project templates.
• PAT-565: Adapt script used for Apple Login to be compatible with the latest release of nevisAuth.
• PAT-577: Fixed OAuth2 UserInfo Signer keystore missing signer usage.
• PAT-630: Fixed OAuth 2.0 / OpenID Connect User Info to generate correct MappingType and URIPrefix when using an exact:/ path as Endpoint.
• IDC-3892: Fixed an issue with the CORS filter generated by OAuth2 Client pattern (Identity Cloud only).

User behavior analytics

• PAT-582: Ensure untrained step is invoked during generation.
• PAT-584: Cleanups in nevisAdapt / nevisDetect Instance patterns, log settings, addons and observability patterns.

Patterns 7.2311.0 Release Notes - 2023-11-15

Release information

• Build Version: 7.2311.0.12

Changes

General

• PAT-478/PAT-521: Added support for TLS encrypted database connection for PostgreSQL to all database patterns.

Application Protection

• ⚠️ PAT-421: Improved Maintenance Page pattern:
  • The status code is now 503 by default. We recommend 503 as this status code is intended for service unavailable. You can opt out of this change by selecting 200.
  • The Base Path where the maintenance page is hosted can now be configured. As the path is not exposed with a servlet-mapping this has no user impact, but it may be required to change the path in case of clashes with other hosted resources.
• PAT-555: Included Hosting Service patterns in Application Mapping Report.
  • Only the Frontend Path will be reported, not all hosted resources. As there is no backend the Backend Addresses column will have the text n/a.
• PAT-528: Escape ( and ) in generated exclude-url-regex elements.
• PAT-502: Removed the generation of deprecated navajo.xml elements and attributes in nevisProxy, such as HttpSession, UserAgent, DocumentRoot, MemorySize.
• PAT-503: Increased the maximum allowed value for Session Timeout in the Unauthenticated Realm pattern.
  • We advise against raising the value as this increases the DoS attack surface.
• PAT-530: Added setting Send Certificate Chain to Web Application, REST Service and SOAP Service patterns.
• PAT-532: Added the Crash Recovery Strategy kill to the nevisProxy Instance pattern.
  • The default for Kubernetes deployments is kill as Kubernetes automatically starts a new pod.
• PAT-534: Fixed the validation of the ModSecurity Rule Set of Virtual Host to allow using a variable.
• PAT-542: Added metrics settings to the nevisProxy Observability pattern.

Authentication

• PAT-544: Changed nevisAuth Database pattern to allow specification of whether a password is provided or a command that echos the password.
• PAT-535: Support configuration of Allowed HTTP Methods in authentication service patterns, such as Standalone Authentication Flow.
• PAT-497: Removed the JAVA_OPTS -XX:+UseConcMarkSweepGC and -XX:+UseParNewGC from the default configuration of nevisAuth.
• PAT-485: Moved configuration of Out-of-context Data Store to esauth4.xml as required by the latest nevisAuth version.
• PAT-551: Aligned configuration generated by Generic SMTP with the latest nevisAuth version.

Identity Management

• ⚠️ PAT-309: The nevisIDM User Update step now supports overwriting user attributes and properties.
  • Overwrite is allowed by default. You can opt out by setting Allow Overwrite to disabled in the Advanced Settings tab.
• PAT-529: nevisIDM Administration GUI pattern now allows all methods used by the nevisIDM REST API.
• NEVISIDM-8916: The nevisIDM Instance pattern now handles Oracle drivers for nevisidmdb correctly.

Mobile Authentication

• ⚠️ PAT-559: The nevisFIDO UAF Instance now uses the REST API of nevisIDM for some operations. This requires a configuration change:
  • The setting Client in nevisFIDO UAF Instance has been changed to Client ID. Adapt your configuration and enter the ID instead of the name there.
• PAT-223: Added support for number matching for out-of-band push notifications.
• PAT-506: Migrated nevisFIDO UAF Instance logging from logback to log4j2.

FIDO2 Passwordless

• PAT-506: Migrated nevisFIDO FIDO2 Instance logging from logback to log4j2.
• PAT-489: Fixed small issue in the JavaScript used for usernameless authentication.
• PAT-539: Extended nevisFIDO FIDO2 Instance pattern for username / display mapping support.

SAML / OAuth / OpenID Connect

• PAT-478: You can now set all properties for nevismeta.properties with the Custom Properties setting in nevisMeta Instance.
• ⚠️ PAT-357: Refactored the Signature Validation in SAML IDP Connector and Signed Element in SAML SP Connector to provide more options. Adapt your configuration as required.
  • Removed both option in SAML SP Connector
  • Replaced both option with recommended in SAML IDP Connector
• N/A: Consent management can now be disabled in OAuth 2.0 Authorization Server / OpenID Provider by setting Consent Screen to disabled.

User behavior analytics

• PAT-305: Added support for automatic schema setup for nevisAdapt when using Oracle and PostgreSQL databases.

Patterns 4.20.1 Release Notes - 2023-09-30

Release information

• Build Version: 4.20.1.8

Changes

General

• PAT-478: Apart from nevisProxy Remote / Hybrid Session Store, database patterns now support TLS encryption when using PostgreSQL.
• PAT-495: Support overwrite of -XX:MaxRAMPercentage in JAVA_OPTS.
• PAT-498: Fixed a bug that has caused multiple Checking if %s instance '%s' had a different name before triggers to be generated for the same instance.

Application Protection

• PAT-500: Fixed the generation of DynamicConfigFilter in nevisProxy patterns.
• PAT-509: Fixed the class-name of the RewriteFilter generated by Hosting Service when configuring Rewrite Rules.
• PAT-512: Fixed the generation of the ConnectString parameter when using PostgreSQL in nevisProxy Remote / Hybrid Session Store.

Authentication

• PAT-480: Removed Authentication Flow category from step patterns.
  • The corresponding settings can now be found in the Basic Settings tab.
  • This makes navigation between steps easier as you don't have to switch tabs.
• PAT-486: Support setting a Custom Classpath for Groovy Script Step.
• PAT-488: Fixed wrong schema user password generation for the nevisAuth OOCDS.
• N/A: The Groovy Script Step now validates that steps assigned to On Success, On Failure, and Custom Follow-up Steps are used in the script.
  • As the validation could produce false positives, the generated issues are INFO level issues for now.

Identity Management

• PAT-409: nevisIDM batch jobs now use a proper value for org.quartz.jobStore.driverDelegateClass when PostgreSQL is used.
• PAT-501: Fixed a NullPointerException caused by nevisIDM Password Login when Login Type is set to AUTO or EMAIL.
• NEVISIDM-8916: Fixed issue with Oracle driver deployment where empty file was copied for nevisIDMDB.

SAML / OAuth / OpenID Connect

• PAT-471: Removed setting ID Token Lifetime in OAuth 2.0 Authorization Server / OpenID Provider pattern.
  • This setting does not have any effect in setups which use nevisMeta as the ID token lifetime is configured there.
• PAT-482: Exclude CSRF protection on SAML IDP Frontend Path(s).
• N/A: Consent Management can now be disabled in OAuth 2.0 Authorization Server / OpenID Provider.

User behavior analytics

• PAT-515: Fixed ubi tool version for nevisAdapt.
• NEVISDETECT-1729: Removed validation check for maximum value for Medium Risk Threshold and High Risk Threshold.
• NEVISDETECT-1754: Added default browser fingerprint risk scores.

Patterns 4.20.0 Release Notes - 2023-08-16

Release information

• Build Version: 4.20.0.9

Changes

General

• ⚠️ PAT-369: Refactored automatic key management for classic deployments.
  • The master for all key material is now generated during project generation and deployed to target hosts as .pem files.
  • Only .jks and .p12 files are still assembled on the target hosts by running script during deployment.
  • The overall solution is now much simpler and more reliable.
  • However, if automatic key management was used with an earlier release, you have to perform some manual clean up operations:
    1. remove /var/opt/keys folder on target hosts
    2. run the following SQL commands in the nevisadmin4 database:

       delete from pki_store_content;
       delete from pki_store;
       commit;

Application Protection

• PAT-361: Added Static Content Cache pattern.
• PAT-368: Removed a check which may produce invalid warning messages when using certain authentication steps in a realm assigned to a SOAP Service pattern.
• PAT-394: Added Peer Servlet Strategy setting to the nevisProxy Remote/Hybrid Session Store pattern.
• PAT-406: Added nevisProxy Observability Settings and Virtual Host Observability Settings patterns to support tracing with OpenTelemetry in nevisProxy.
• PAT-407: Fix the missing html mime mapping when using the Maintenance Page pattern.
• PAT-418: Fixed an unexpected warning when trying to remove the default error handler mapping of a Virtual Host using Generic Virtual Host Settings.
  • Note: The default error handler can also be disabled by linking an HTTP Error Handling pattern to your Virtual Host and setting Mode to disabled.
• ⚠️ PAT-419: Upgraded the default ModSecurity CRS to 3.3.5 and removed the previous version 3.3.4.

Authentication

• PAT-167: Added support for the renderElement attribute in GuiElem elements.
• PAT-299: Added pre-selected profileId to session when consuming an access token in Access Token Consumer step.
• PAT-342: Use request.getHttpHeader method in generated Groovy scripts.
• PAT-372: Fix error Upload a keytab file or enter the path of an existing keytab file on the target host(s) when using a variable for the keytab file in Frontend Kerberos Login pattern.
• PAT-386: Updated the nevisAuth Database pattern to use the new Hikari-based connection provider.
• ⚠️ PAT-388: Added a new Kerberos Login pattern which uses the new KerberosLoginAuthState and marked the existing Frontend Kerberos Login as deprecated.
  • The existing pattern will be removed in the November 2023 release.
• ⚠️ PAT-390: Changes to logrend.properties.
  • Fixed usage of expressions in logrend.properties configuration.
  • Removed the file-based configuration which has been marked as deprecated in the May 23 release. Use the key-value based configuration instead.
• PAT-391: New setting Login Template Mode in realm patterns.
• PAT-399: Do not return 403 for AUTH_CONTINUE in Groovy Script Step.
• PAT-401: Support AUTH_CONTINUE in JSON Response Step.
• PAT-408: Made SMTP User and SMTP Password optional in Generic SMTP pattern.

Identity Management

• IDC-3166: Support UNIT_GLOBAL for nevisIDM Custom Property.
• N/A: Updated the list of supported nevisIDM permissions which can be configured in Role Permissions in the nevisIDM Authorizations pattern.
• PAT-343: Replaced SecToken creation in authentication step patterns with use of IdmRestClient.
• PAT-384: Fixed Oracle database requires a volume to be prepared warning during background generation.
• PAT-395: The nevisIDM Custom Property pattern now allows to define properties which are not READ_ONLY.

SAML / OAuth / OpenID Connect

• PAT-284: Fixed access denied when calling OAuth 2.0 / OpenID Connect User Info endpoint.
• PAT-392: Added a Custom Pre-Processing hook to OAuth2.0 Authorization Server / OpenID Connect Provider.
• PAT-397: Fix the generation of the Claims Request setting in the social login steps.
• PAT-412: Support configuration of trust store and proxy in OAuth2.0 Authorization Server / OpenID Connect Provider for outbound connection to JWK Set endpoint for ID token encryption.
• PAT-413: Added refresh token rotation configuration for OAuth2.0 Authorization Server / OpenID Connect Provider.

User behavior analytics

• ⚠️ NEVISDETECT-1704: Refactored configuration of feedback configuration:
  • Added setting nevisAdapt Feedback Configuration to Advanced Settings of nevisAdapt Instance.
  • Added new pattern nevisAdapt Feedback Configuration to keep all related configurations.
  • Removed settings from nevisAdapt Instance:
    • nevisAuth reference
    • JWE key config
  • Removed settings from nevisAdapt Authentication Connector:
    • nevisProxy reference
    • Distrust Token Behavior
    • Feedback Token Lifetime
• NEVISDETECT-1699: Internal changes how the conversation is wrapped up when authentication is done.

Patterns 4.19.0 Release Notes - 2023-05-17

Release information

• Build Version: 4.19.0.22

Changes

General

The following changes affect multiple components:

• PAT-235: Fixed database patterns to generate the Trust Store when TLS encryption is enabled and Custom Connection URL is set.
• PAT-248: Release patterns as a single ZIP file instead of separate JAR files.
• PAT-291: Improved error handling for ${var.name} expressions.
• PAT-295: Fixed error in database patterns when using a variable without a sample value for the User Name.
• PAT-297: Improved validation for file upload properties.
• PAT-308: Fixed an error with pattern name processing in Kubernetes deployments.
• PAT-328: Fixed TLS hostname verification issues with nevisIDM and nevisMeta and automatic key management in Kubernetes.
• PAT-334: Increased the initial delay for Kubernetes readiness and liveness probes to account for slower startup.
• NEVISADMV4-9070: The default CPU autoscaler will no longer be generated if other scaling options are enabled when deploying to Kubernetes.
• NEVISADMV4-9104: Extended pod security options.

Application Protection

• PAT-193: Added Crash Recovery Strategy setting to nevisProxy Instance pattern.
  • In Kubernetes deployments it is better to let the process crash as the cluster will simply start a new pod.
• PAT-209: Added the RESET_PARAMS modifier flag for the URL Handler pattern.
• PAT-210: The Securosys Keystore pattern now generates the Primus configuration files into the nevisProxy instance folder instead of /etc/primus.
• ⚠️ PAT-230: Removed the deprecated Navajo SSL Cache setting from the Virtual Host pattern.
• PAT-265: Improved help of CA Secret in NGINX Ingress Settings.
• PAT-268: Increased the minimal nevisProxy version to 5.4.0.
• PAT-288: Cleaned up how standard patterns generate filters for handling CORS.
• PAT-293: Prevent inherited authentication for public applications:
  • When you assign an Authentication Realm to an application you get session tracking and authentication on all front-end paths of that application.
  • When you don’t assign any realm then the application is considered public but session tracking and authentication filter may be inherited from parent paths belonging to authenticated applications.
  • To prevent the inheritance you can now assign the Unauthenticated Realm pattern to your public applications.
  • As the Unauthenticated Realm pattern was originally designed to add session tracking to public applications, and we did not change the default, you have to set the Session Tracking drop-down to disabled.
• PAT-340: Prevent different managed databases being used for the same nevisProxy Instance.
  • This is not supported by the Nevis Operator component.
• PAT-344: Improved help for Client Cert Authentication in NGINX Ingress Settings.
• NEVISPROXY-6650: Fixed the setting of paranoia level order in the generated ModSecurity configuration file for nevisProxy.
• ⚠️ PAT-365: nevisProxy upgraded to OpenSSL 3.0, which has a more strict default for security level than OpenSSL version 1.1.1. The default security level 1 now forbids signatures using SHA1 and MD5. In consequence, the following issues may occur:
  1. Connections using TLSv1.1 will fail with the following message in the navajo.log:

     3-ERROR : OpenSSL-failure: 00777CC0137F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2255:0x0a [OSSL-0005]
     We recommend upgrading your configuration to use TLSv1.2 or TLSv1.3. If it is not possible, you can add the suffix :@SECLEVEL=0 to your TLSv1.1 cipher suites to allow their signature algorithms.
  2. Connections using a certificate with a deprecated signature algorithm will fail with the following message in the navajo.log:

     3-ERROR :  [...] error:0A00018E:SSL routines::ca md too weak (must be pem encoded)) [NVCT-0054]
     We recommend renewing your certificates with a stronger signature algorithm. In the meanwhile, you can add the suffix :@SECLEVEL=0 to the cipher suites of the affected filter or servlet. If the issue occurs at several places, or if it affects your EsAuth4ConnectorServlets, you can also modify the default cipher suites to include this suffix. Proceed as follows:
     • Add a Generic nevisProxy Instance Settings pattern to you configuration.
     • Add a bc.property for each cipher suite you want to modify. The keys are:
       • ch.nevis.isiweb4.servlet.connector.http.SSLCipherSuites for the HttpsConnectorServlets
       • ch.nevis.isiweb4.servlet.connector.websocket.SSLCipherSuites for the WebSocketServlets
       • ch.nevis.isiweb4.servlet.connector.soap.esauth4.Transport.SSLCipherSuites for the EsAuth4ConnectorServlets
       • ch.nevis.nevisproxy.servlet.connector.http.BackendConnectorServlet.Secure.CipherSuites for the BackendConnectorServlets
       • ch.nevis.isiweb4.filter.icap.ICAPFilter.SSLCipherSuites for the ICAPFilters
     • The modified default values should be ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@SECLEVEL=0
     • Attach this pattern to your nevisProxy Instance, under Advanced Settings > Additional Settings.

Authentication

• PAT-132: New key-value style setting for configuring nevisLogrend logrend.properties.
  • You can now add / overwrite just the properties that you have to and don’t have to upload a file.
  • ⚠️ The file upload variant has been marked as deprecated and will be removed in the August 23 release.
• PAT-201: Fixed User input pattern saving a null value if a word containing letter with accent was entered.
• PAT-221: Adapt generation of nevisAuth Event Log generation to compensate for breaking changes in nevisAuth May release.
  • ⚠️ You have to use the May release of nevisAuth when event logging is enabled.
• PAT-249: Fixed an error during generation when Internal SecToken Signer Trust Store is not set.
• PAT-304: Fixed broken language change in some GUIs.
• PAT-337: Support variables in JSON Response step.
• PAT-339: Use new HTTP Client of nevisAuth for scripts.
• ⚠️ PAT-348: Implement eye icon for password input fields.
• PAT-349: Support adding a resend button on Email TAN / Mobile TAN.
• PAT-351: Do not generate Internal SecToken Signer Trust Store unless really required.
• NEVISAUTH-4006: Added advanced setting ID Pregenerate to nevisAuth Instance pattern.

Identity Management

• ⚠️ PAT-72: The nevisIDM Generic Batch Job pattern now raises a warning when Custom Batch Job JAR(s) are uploaded as nevisIDM does not support custom batch jobs since version 2.76.2.63.
• PAT-272: Fixed errors in nevisIDM Second-Factor Selection script.
• PAT-282: New field is added to nevisIDM User Lookup and nevisIDM Password Login to enable automatic selection of default profiles instead of manual selection when the User has multiple profiles.
• PAT-320: Add client trust hash label to the NevisDatabase resource to ensure client cert is imported when nevisFIDO is used.
• PAT-350: Added a setting User Not Found Error in nevisIDM User Lookup.
  • Set to disabled when the absence of a user is the happy case (e.g. in a registration flow).
• PAT-352: Added a new parameter to nevisIDM Create Password pattern to make showing policy violations configurable.

SAML / OAuth / OpenID Connect

• ⚠️ PAT-183: The REST endpoint configuration for OAuth 2.0 / OpenID Connect has been moved to a separate pattern for each endpoint.
  • You have to adapt your configuration and use the new patterns.
• PAT-183: Added REST endpoint for Pushed Authorization Request.
• PAT-226: Fixed a database connection issue for nevisMeta when TLS is enabled.
• PAT-260: Added setting Tenant ID to Microsoft Login pattern.
• PAT-287: Exclude CSRF on token introspection and revocation paths.
• PAT-289: Fixed SAML IDP authorization checks for SPs.
• PAT-306: Allow disabling IDP-initiated authentication in SAML IDP pattern.
  • ⚠️ IDP-initiated authentication is disabled by default. You can opt out of this change by enabling it again.
• PAT-311: Fixed double slash in OAuth 2.0/OpenID Connect metadata service.
• PAT-359: Added missing method to the dispatcher script used by the SAML IDP.

FIDO2 / Passwordless

• PAT-199: The FIDO2 Authentication pattern now uses the new Fido2AuthState by default.
  • ⚠️ A different JavaScript is used (fido2_auth_std.js). If you are using a custom Login Template you have to update the template.
  • The previous implementation can still be used until the August 23 release by setting AuthState Class to ScriptState.
• PAT-269: Adapted the nevisFIDO FIDO2 Database to be compatible with the new MariaDB driver in nevisFIDO.
  • ⚠️ The enabled TLS encryption option is no longer available. Use trust, verify-ca or verify-full instead.
• PAT-307: Added User Verification setting to FIDO2 Authentication and FIDO2 Onboarding.
• PAT-318: Added Attestation setting to FIDO2 Onboarding.
• NEVISFIDO-1828: Allow configuration of android:apk-key-hash:<your-hash> for Relying Party Origins.

Mobile Authentication

• PAT-238: Prevent inheritance of CSRF protection and ModSecurity from applications to nevisFIDO APIs.
• ⚠️ PAT-255: As announced with warning messages, the following deprecated patterns have been removed with this release:
  • Mobile Authentication with Custom URI Link
    • custom URI links have to be configured in the nevisFIDO UAF Instance pattern instead.
  • Mobile Authentication with Deep Link
    • deep links have to be configured in the nevisFIDO UAF Instance pattern instead.
  • Mobile Device Registration
    • use In-band Mobile Registration Service and/or Out-of-band Mobile Registration Service patterns to expose the APIs required by your client.
• PAT-269: Adapted the nevisFIDO FIDO2 Database to be compatible with the new MariaDB driver in nevisFIDO.
  • ⚠️ The enabled TLS encryption option is no longer available. Use trust, verify-ca or verify-full instead.
• PAT-296: Improved error handling of the Out-of-band Mobile Onboarding step.
  • In fatal error cases a System Error screen is now shown instead of an incomplete screen.

Authentication Cloud

• PAT-247: The new Authentication Cloud patterns do not send an extra ping request to Authentication Cloud to validate the configuration.
• ⚠️ PAT-298: Removed Authentication Cloud pattern.
  • Use the new Authentication Cloud Login and Authentication Cloud Onboarding patterns instead.
• PAT-302: Added On Abort exit to Authentication Cloud patterns.
• PAT-303: Added Authentication Cloud Lookup pattern.

User behavior analytics

• NEVISDETECT-1603: Updated nevisAdapt project templates for K8s deployment
• NEVISDETECT-1683: Fixed Oracle JDBC driver could not be found issue.

Patterns 4.18.3 Release Notes - 2023-05-04

Release information

• Build Version: 4.18.3.16

Changes

SAML / OAuth / OpenID Connect

• PAT-254: Fixed SAML SP Connector to set the property out.post.relayStateEncoding to HTML when http-post is selected for Outbound Binding.

FIDO2 / Passwordless

• ⚠️ IDC-2999: The FIDO2 Onboarding pattern now renders a welcome screen.
• PAT-325: Support usage of Dispatcher Button patterns in FIDO2 Onboarding.

Mobile Authentication

• PAT-313: Fixed Out-of-band Device Management App to not set InterceptionRedirect to never in the IdentityCreationFilter of the assigned realm.
• PAT-321: Made In-band Mobile Registration more flexible. Now any realm can be assigned and the non-mobile authentication flow can be disabled.
• PAT-336: Fixed Usernameless Out-of-band Mobile Authentication so that the pattern can be used as the first step of an authentication flow.

Authentication Cloud

• PAT-326: Added a retry button to Authentication Cloud Onboarding.

Patterns 4.18.2 Release Notes - 2023-03-27

Release information

• Build Version: 4.18.2.12

Changes

Authentication

• PAT-280: Added missing password for Default Backend Trust Store of nevisAuth Instance.
• PAT-267: Removed open port check for default nevisLogrend instance.

Identity Management

• PAT-245: Improved Generic nevisIDM Instance Settings so it can handle empty values.

SAML / OAuth / OpenID Connect

• PAT-278: Add Custom Properties setting to OAuth 2.0 Authorization Server pattern.

• PAT-277: New experimental Access Token Consumer step.

• ⚠️ PAT-274: Protection against XML Signature Wrapping (XSW) attacks. By default, the SAML IDP now signs the entire SAML Response.

  This is a breaking change. You have to adapt the configuration of your SAML service providers (SPs) to validate the signature of the Response. If this is not possible, you can opt out of this change by selecting Assertion in the Signed Element drop-down of the SAML SP Connector. If only the Assertion is signed, then your setup may be vulnerable to attacks.

  We recommend to check if your SP applies appropriate mitigations. If you are using a Nevis SP, then upgrade to the latest applicable version of nevisAuth to benefit from additional checks of the ServiceProviderState. Check the release notes of nevisAuth for details. In Kubernetes deployment you have to set the version of the docker in the inventory to use the new nevisAuth version.

  To easily configure which signatures are validated on the SP side, we have added a drop-down Signature Validation to the SAML IDP Connector pattern. The default of this drop-down is both, which means that the signature of the Response and Assertion is checked. This in line with the change of the default on the IDP side. If you can not enable response signing on the IDP site, you can opt out of this change by setting the drop-down to Assertion.

Authentication Cloud

• IDC-2913: New experimental Authentication Cloud Onboarding pattern.
• IDC-2897: Various improvements to the scripts of the Authentication Cloud patterns.
• PAT-247: Removed a ping call which is not required.

Patterns 4.18.1 Release Notes - 2023-03-01

Release information

• Build Version: 4.18.1.16

Changes

General

The following changes affect multiple components.

• PAT-231: We fixed an issue that caused Kubernetes deployments to fail when database patterns were used with Database Management set to disabled.

Authentication

• PAT-227: We fixed an issue with the User Input pattern which can lead to an exception during cookie parsing.

Mobile Authentication

• PAT-225: We improved the pattern help of the Out-of-band Mobile Device Registration pattern.
• PAT-236: We Adapted the JavaScript used by Out-of-band Mobile Authentication when Channel is set to Link / QR-Code to not render a device list.
• PAT-237: We fixed the failed push dispatching for Out-of-band Mobile Authentication pattern.
• PAT-238: Ensure security features enabled for applications with Frontend Path / won't break APIs provided by nevisFIDO for FIDO UAF.
• PAT-241: Ensure nevisFIDO is accessible on /auth/fidouaf/authenticationresponse/.
  • This path is used by old apps and will be removed in a future release.
• PAT-242: We fixed the missing notification when using push dispatching for Out-of-band Mobile Authentication.
  • New label mobile_auth.push added with defaults translations. You can change them in the realm pattern.

Authentication Cloud

• PAT-244: Use new nevisAuth HTTP client in the Authentication Cloud pattern.

• PAT-224: We added support for authentication with QR-code instead to Authentication Cloud pattern.

  • This pattern now has a drop-down Authentication Type to choose how to interact with the user.
  • The QR code is rendered on client side using a JavaScript library (loaded by js_end.vm).
  • This QR code can also be scanned by the camera app and support access app installation.

• PAT-208: We cleaned up JavaScript and Groovy script used by Authentication Cloud pattern.

  • ⚠️ These changes are breaking if you are using your own login template. Adapt your template as follows:
    • Download the default template in the Authentication Realm, unpack the zip and compare the following files:
      • js_end.vm (includes the JavaScript files)
      • authcloud.js (the new JavaScript expects HTML elements with ID info and error to display status messages)

• PAT-208: The Authentication Cloud pattern now provides translations for status messages in the 4 default languages (EN, DE, FR, IT)

  • Check the deployment preview and adapt the texts as required in the realm pattern.

• PAT-208: The Authentication Cloud pattern now shows status messages underneath the title.

• PAT-208: The Authentication Cloud pattern now has a setting to configure the label used for the title.

• PAT-208: The Authentication Cloud pattern now has settings for separate configuration of Access Key and Instance ID.

Patterns 4.18.0 Release Notes - 2023-02-15

Release information

• Build Version: 4.18.0.24

Changes

General

The following changes affect multiple components.

• PAT-148: Ensure files produced by automatic key stores and trust stores in classic deployment have proper permissions, owner, and group.

• ⚠️ PAT-138: Removed settings and patterns which have been declared as deprecated and produced warning issues.

  • Removed the setting Compat Level in nevisAuth Instance.
  • Removed settings which used a text box when there is a corresponding file upload.

• ⚠️ PAT-118: New Database patterns for all Nevis components which use a database.

  • You can now use the same pattern for classic (VM) and Kubernetes deployments.
  • The drop-down Session Management in Advanced Settings can be set to disabled to opt out of automatic DB schema setup and migration.
  • The existing database patterns have been removed. Adapt your pattern configuration by using the new patterns.
  • The technical property name for assigning the Database pattern has been adapted in:
    • nevisAuth Instance
    • nevisAdapt Instance
    • nevisFIDO UAF Instance
    • nevisDetect Persistency Instance

• PAT-177: Improved type tolerance of key-value style settings when loading from a variable.

  • It is not required any more to put quotes around boolean and numeric values.
  • For instance, the following variable definition is now valid:

  my-var:
  - some-key: 100

• PAT-158: Fixed an issue with the validation of host names (length limitation).

Application Protection

• PAT-169: Fixed usage of full URLs in Root URL Redirect of the Virtual Host pattern.
• PAT-161: Fixed nevisProxy minimal version check for ModSecurity Core Rule Set to only apply when deploying a nevisProxy Instance.
• NEVISPROXY-6376: New Securosys Key Store pattern.
  • For now this pattern can be used in nevisProxy only. Use in Virtual Host patterns for the Frontend Key Store.
  • Upload valid configuration files from a working set up.
  • In case of on-premise set-ups, the installation of the library has to be done manually, for nevisAppliance the target system should be upgraded.
• PAT-161: Fixed nevisProxy version check in classic deployment.
• NEVISPROXY-6257: The servlet mapping elements in the web.xml of nevisProxy are now sorted.
• NEVISPROXY-6270: Added new HTTP/2 category for Virtual Host pattern and added new Early Hints parameter.

Authentication

• PAT-171: Adapted nevisAuth Database pattern for new MariaDB JDBC driver used in nevisAuth.
• PAT-143: nevisAuth Log Settings now has the following default Log Levels:
  • EsAuthStart = INFO: prints messages during startup
  • org.apache.catalina.loader.WebappClassLoader = FATAL
  • org.apache.catalina.startup.HostConfig = ERROR
• PAT-138: Fixed an issue Generic Authentication Step when assigning the step in multiple places.
• PAT-201: Improvements for the User Input pattern.
  • Fix encoding issues when entering special characters.
  • Cache the input in the session in case a cookie has to be returned for the Remember Input feature.
• ⚠️ PAT-174: Adapted the generation of configuration for the nevisAuth session store to be compatible with the new nevisAuth version (4.38).
  • Upgrade nevisAuth as otherwise the instance won’t start.
• ⚠️ PAT-165: Adapted the generation of key stores and trust stores for outgoing TLS connection in nevisAuth.
  • nevisAuth now supports using separate key material for all these connections and can fall back to the system trust store in the JDK.
  • The SwissPhone Connection pattern has been adapted accordingly.
  • If you are using Generic Authentication Step or Groovy Script Step, and you have outgoing TLS connections then you may have to adapt your configuration.
    • Details can be found in the nevisAuth release notes.
    • If a suspicious property name is generated the patterns will produce a warning issue.
      • If this check produces a false positive it is safe to ignore.
      • The check has been implemented to help with the migration and will be removed again in a future release.
• ⚠️ PAT-192: The recommended option in the Synchronize Sessions drop-down in the nevisAuth Database pattern now behaves like the option always in both classic and Kubernetes deployment.
  • In previous releases (previous database patterns) the behavior of recommended was:
    • always in Kubernetes deployment
    • after-successful-authentication in classic deployments
  • This change can increase the number of sessions stored in the remote session store.
  • The benefit is that now the authentication can continue on another line, in case nevisProxy decides to send the user to a different line.
  • You can opt out of this change by selecting the option after-successful-authentication.
• PAT-175: New experimental Role Check Step pattern.
  • You can use this pattern in authentication flows to make decisions based on roles.
  • Role-based access control is usually done in nevisProxy instead. Use the Authorization Policy pattern for that.
• PAT-162: JWT Token extended with kid header parameter option.

Identity Management

• PAT-153: The nevisIDM Administration GUI pattern now has Self Admin GUI set to enabled by default.
• ⚠️ NEVISIDM-8595: The nevisIDM Instance pattern now validates the length of the configured Encryption Key.
• NEVISIDM-8480: The JDBC connection string generated by the nevisIDM Database pattern has been adapted to be compatible with the latest nevisIDM release.
• PAT-142: Fixed nevisIDM Connector to not use settings from Kubernetes tab in a Classic deployment.
• PAT-163: Added experimental nevisIDM Password Create pattern.
  • This pattern is experimental and will be improved in future releases.
• PAT-163: Improved Email TAN and nevisIDM User Create patterns.
  • In combination with the Dispatcher Button and nevisIDM User Lookup these patterns may be used to build a simple self-registration flow.

Mobile Authentication

• ⚠️ PAT-157: The JavaScript used by Out-of-band Mobile Authentication has been rewritten from scratch.
  • If you use a custom login template, adapt the template accordingly.
• PAT-143: nevisFIDO Log Settings now has the following default Log Levels:
  • ch.nevis.auth.fido.application.Application = INFO: prints messages during startup
  • jcan.Op = INFO: 1 line for each request (incoming and outgoing)
• PAT-172: New experimental pattern Usernameless Out-of-band Mobile Authentication.
  • The pattern shows a QR-code and/or link for mobile authentication. It is not required to enter any username.
• ⚠️ PAT-198: New In-band Mobile Device Registration patterns.
  • The existing Mobile Device Registration pattern has been deprecated and will be removed in May 2023.
  • Use one of the new patterns instead. Check the links above to find out which one fits your use case.
• ⚠️ PAT-198: Improved the Mobile Device Deregistration pattern.
  • The technical property name used for Authentication Realm has changed. Assign your In-band Mobile Authentication Realm to the new setting instead.
  • Rewritten the help text to make clear which APIs are exposed.
• ⚠️ PAT-196: The Out-of-band Device Management App has been simplified.
  • This pattern is provided for demo purposes only. If you want to do mobile device management in production you should implement your own application.
  • The pattern help has been improved. It is now documented which API the example application makes and how the required endpoints may be provided.
  • The FIDO Settings and Userinfo Settings tabs have been removed.
  • The pattern does not automatically expose the required APIs anymore. Instead, you now have to configure additional patterns as described in the help.

SAML / OAuth / OpenID Connect

• PAT-59: Set default value for Setup ID in OAuth 2.0 Authorization Server/OpenID Connect Provider
  • Newly created nevisMeta instances will contain this setup by default. Existing nevisMeta instances are not affected.
• PAT-86: Added Assertion Consume URL Validation setting.
• PAT-206: The OAuth2.0 Authorization Server / OpenID Connect Provider now ensures that CSRF protection from applications running on parent paths are not inherited which would break basic flows.
• PAT-82: Extended SAML SP Realm and IDP Connector with encryption settings.
• PAT-139: Fixed wrong error message when Social Login Create User was reused.
• PAT-140: Support reuse of the following patterns:
  • Social Login Create User
  • Social Login Link User
  • Social Login Done

Patterns 4.17.0 Release Notes - 2022-11-16

Release information

• Build Version: 4.17.0.24

How to install and use the plugins

Download the plugin JAR files from the Nevis Portal.

Go to the Downloads section, and select ROLLING RELEASES / 2022 Nov.

Enter the version in the Search field: 4.17.0.

On how to use this library, see Editing Project Pattern Libraries.

Changes

Several changes are included in the 4.16.1, 4.16.2, and 4.16.3 intermediate releases. Check the corresponding release notes.

General

The following changes affect multiple components.

• ⚠️ PAT-75: Added a new widget for map-like settings.
  • Existing configuration must be migrated. Warning issues will be generated for patterns that require attention.
  • The widget will guide you through the migration steps when you visit the pattern. By saving the pattern you complete the migration.
  • In some places several separators where allowed (->,:,=) in previous releases. The old widget used the same parsing order for all lines and thus some separators had to be used the “wrong way round”. Often, the order of the -> was wrong. The new widget will fix this problem. The widget will import existing data using a proper, “natural” reading order (value -> key, key = value, key : value). This can lead to invalid configuration in some cases. Double-check carefully how the migration has interpreted your existing configuration as you may have to switch left and right side in some cases.
• NEVISPROXY-6260: Added new setting Hostname Validation to the following patterns:
  • nevisAdapt REST API
  • nevisDetect Administration GUI
  • nevisDetect Persistency REST API
  • nevisIDM Administration GUI
  • nevisIDM REST Service
  • nevisIDM SOAP Service
  • nevisMeta Web Console
  • REST Service
  • SOAP Service
  • Web Application
• PAT-41: Image version parsing now uses Long instead of Integer to be able to parse long version numbers.
• PAT-28: Improve minimum version checks for Kubernetes deployment.
  • The setting Enforce Target Version in Instance patterns has been renamed to Check Minimum Version.
  • You can now enable / disable all minimum version checks with this drop-down.
• PAT-53: Improved cleanup of rotated log files.
  • Changed the glob expression filename.* to a regex expression to avoid that files which have not been created by the component (e.g. backups or compressed rotated logs) are removed.
• PAT-67: Various improvements to automatic key management in classic deployment:
  • nevisAuth Backend Trust Store now trusts nevisIDM Frontend Key Store instead of falling back on the nevisAdmin 4 CA.

Application Protection

• NEVISPROXY-6396: Changed the default HTTP/2 support to disabled in the Virtual Host pattern.
  • There are incompatibility with certain mod_qos directives.
• PAT-62: Always set Secure flag on proxy session cookies.
  • Having a session on nevisProxy when accessing via plain HTTP is not supported anymore.
• ⚠️ PAT-107: Added OWASP ModSecurity Core Rule Set version 3.3.4 to the available options in the Virtual Host patterns.
  • This is the new default version, and it requires nevisProxy 5.4.0 (November 2022) or newer.
  • We recommend using version 3.3.4, but you can still choose one of the previous versions.
• ⚠️ PAT-36: Added new setting Remote Session Store in the Virtual Host pattern.
  • Use this new setting instead of Additional Resources.
• PAT-36: Prevent invalid assignments:
  • Generic Application Settings to Virtual Host pattern.
  • Generic Virtual Host Settings to application patterns.
• PAT-2: Added new settings Content-Type Mode and Content-Types in the HTTP Error Handling pattern.
• PAT-120: Added new setting Keep Security Headers to the HTTP Error Handling pattern.

Authentication

• PAT-56: Removed unused mermaid.min.js.
• PAT-135: Generate attribute idPregenerate with true.
  • Required for use cases where the nevisAuth session ID needs to be known before AUTH_DONE.
• PAT-40: Improved validation of Transform Variables step.
• PAT-96: Generate KeyObject DefaultSignerTrust for SecToken validation in nevisAuth.
  • nevisAuth validates the SecToken received from nevisProxy when a stepup occurs.
  • In some setups that SecToken may have been signed by a different key store (e.g. a second line of nevisAuth or after cert rollover).
  • In such setups an additional KeyObject will now be generated to ensure the SecToken can be validated.
• PAT-99: Basic support for showing a Gui with AUTH_CONTINUE in Groovy Script Step.
• PAT-117: Added setting Language Cookie Name in Authentication Realm pattern.

Adaptive Authentication

• PAT-39: Fixed data source issues for nevisAdapt Persistency and nevisDetect Persistency.

Identity Management

• ⚠️ PAT-52: Migrated nevisIDM Authorizations pattern to be file based to avoid size restrictions.
• PAT-38: Extended the nevisIDM Prune History Job pattern to a setting for the SkipList property.
• PAT-115: Fixed trust association between SecToken Signer Trust Store in nevisIDM Instance and Signer Key Store of Nevis SecToken patterns.

SAML / OAuth / OpenID Connect

• PAT-122: Allow handling the unlock method using Custom Pre-Processing of SAML SP Realm.
• ⚠️ PAT-57: Changed default paths in OAuth 2.0 Authorization Server / OpenID Connect Provider.
  • Changed default paths to exact:/oauth/<name>. See help for details.
  • Changed /auth endpoint to /authorization based on RFC examples.
• PAT-83: Support to checking Required Roles in the SAML SP Connector.
  • Roles are checked after taking care of the Minimum Required Authentication Level.
  • This is an advanced configuration. We recommend to check roles in your SAML SP instead to not mix authentication and authorization.
• ⚠️ PAT-73: Refactor Social Login patterns for avoid security issues when the user is not linked.
  • You have to upgrade your flows. See the pattern help for details.
• NEVISAUTH-3677: Add custom exits to OAuth 2.0 Authorization Server / OpenID Connect Provider.
  • This is an advanced configuration. We cannot validate that your configuration make sense.

Patterns 4.16.3 Release Notes - 2022-11-02

Release information

• Build Version: 4.16.3.9

Changes

General

The following changes affect multiple components.

• PAT-102: The setting Regex Filter in Log Settings patterns is now also applied to Console appenders used in Kubernetes deployments.

Authentication

• PAT-98: We made the lookup of client extId and user extId more reliable in various authentication step patterns.
• PAT-99: We improved the Groovy Script Step so that you can now produce an AUTH_CONTINUE response to render a GUI.

FIDO2 / Passwordless

• IDC-2464: We fixed an exception in FIDO2 Authentication and FIDO2 Onboarding steps.
• PAT-93: We added a new setting On Cancel to the FIDO2 Authentication and FIDO2 Onboarding steps.
  • The error handling in these patterns is considered experimental and further changes are expected in upcoming versions.
  • We recommend testing onboarding and authentication with the expected devices carefully.
• PAT-78: We added registration options to FIDO2 Onboarding.
• PAT-92: We fixed a WARN message about maxLifetime in the nevisfido.log.

SAML / OAuth / OpenID Connect

*⚠️ ️PAT-109: The SAML IDP does not dispatch according to the last used SP anymore.

• In IDP-initiated cases, the SP issuer has to be well-defined, see pattern help for details.

Patterns 4.16.2 Release Notes - 2022-10-07

Release information

• Build Version: 4.16.2.8

Changes

General

The following changes affect multiple components.

• PAT-90: We added a new setting Regex Filter to Log Settings patterns of Log4J2-based components.
  • If configured, messages matching the regular expression are not logged.
  • ⚠️ By default, the following is not generated for nevisLogrend anymore: .*GET /nevislogrend/health.*
• PAT-74: Moved deployment type settings in Instance patterns into tabs:
  • Kubernetes tab: settings for deployment to Kubernetes
    • Liveness Delay
    • Readiness Delay
  • Classic tab: settings for deployment to VMs
    • Line Preference
    • Start Timeout
    • Memory Limit
    • Initial Memory Ratio
    • Instance Rename Detection
    • Start Inactive

Authentication

• PAT-74: We added new settings Liveness Delay and Readiness Delay in nevisAuth Instance pattern.
  • If startup of nevisAuth times out in Kubernetes, you may have to increase the values.
  • These are experimental settings. Changes are expected in a future release.

SAML / OAuth / OpenID Connect

• PAT-70: The SAML SP Connector / User Attributes setting now supports configuration of more than one attribute with the same value or expression.
• PAT-71: We added a drop-down to SAML SP Connector to configure if and how the AudienceRestriction element is generated.
• PAT-65: Various changes in SAML IDP to support customizing / overwriting SAML logout behavior:
  • We added a Custom Pre-Processing hook.
  • We added a drop-down to disable the Logout Configuration feature.
• PAT-65: nevisLogrend was not reachable when using a sub-path of the Frontend Path(s) of the SAML IDP. We fixed the issue.

Patterns 4.16.1 Release Notes - 2022-08-31

Release information

• Build Version: 4.16.1.3

Changes

General

• ⚠️ PAT-42: Various fixed to Log Settings patterns.
  • The new log format is: *%d{ISO8601} [%thread] %-5level %logger{36} - %msg%n*. In Kubernetes a prefix is added (no change).
  • We have removed *%-4relative*, changed %logger{35} to %logger{36} and added a -.
  • You can change the log format in the Advanced Settings tab of the corresponding Log Settings pattern.
• ⚠️ PAT-26: Deprecated text boxes in patterns which support the same configuration by uploading a file.
• PAT-13: Added time-based log rotation for components that use logback.
• NEVISADMV4-8505: Add Start Inactive setting to Instance patterns.

Application protection

• NEVISADMV4-8507: Fixed link to application patterns in Application Mapping Report.

Authentication

• ⚠️ NEVISADMV4-6224: Improved authentication steps for OATH, for example, Google Authenticator.

Identity Management

• PAT-45: Fixed a bug in the nevisIDM Password Login pattern. When fetching User Properties an invalid configuration was generated.

SAML / OAuth / OpenID Connect

• PAT-20: Fixed a bug in the Social Login patterns (e.g. Google Login) which produced invalid ResultCond elements in some setups.
• ⚠️ PAT-30: Removed Custom Pre-Processing hook in OAuth 2.0 Authorization Server / OpenID Provider pattern.
• PAT-27: Ensure Default Session Upgrade Flow is used by OAuth 2.0 Authorization Server / OpenID Connect Provider pattern.
• NEVISAUTH-3729: Improved the CORS Lua filter generated by OAuth 2.0 Authorization Server / OpenID Connect Provider pattern.
• PAT-29: Added Key Store and Trust Store settings to nevisMeta Web Console.

User behavior analytics

• PAT-39: Fixed various issues with the database connection:
• NEVISDETECT-1575: Upgraded fingerprintjs v3 to 3.3.4.

Patterns 4.16.0 Release Notes - 2022-08-17

Release information

• Build Version: 4.16.0.14

Changes

If you are upgrading from the version included in the May 2022 release (4.15.0), also check the release notes for 4.5.1.

General

• ⚠️ NEVISADMV4-8429: The SameSite flag is now set to None by default for nevisProxy session cookies.
• NEVISADMV4-8298: We renamed several Key Store and Trust Store settings.
• NEVISADMV4-8405: We added time-based log rotation to Log Settings pattern.
  • size-based rotation: %i
  • daily rotation: %d{yyyy-MM-dd}
  • hourly rotation: %d{yyyy-MM-dd-HH}
• NEVISADMV4-8446: Boolean values from inventory variables are now handled in drop-downs with the compatible options showing:

Application protection

• NEVISADMV4-8445: The endpoints required for Kubernetes liveness and readiness checks are now exposed by a separate virtual host which is not exposed to the internet via the ingress.
• ⚠️ NEVISPROXY-6256: The Hosting Service pattern is adapted. The underlying DefaultServlet is replaced by a FileReaderServlet to allow future improvements.
• NEVISPROXY-6121: We added support for HTTP/2 front-end connections in nevisProxy, and introduced a new setting called HTTP/2 Support in the Virtual Host pattern.
• NEVISPROXY-6213: We added the new JWT Access Restriction pattern to verify the JWT of incoming requests in nevisProxy Virtual Host without using nevisAuth.
• NEVISADMV4-8164, NEVISPROXY-6252: We added a new setting to the Web Application, REST Service, and SOAP Service* patterns called Custom Parameters**.
• NEVISPROXY-6114: We added a new parameter Conditional Log Levels to the nevisProxy Log Settings pattern.
• NEVISADMV4-8383, NEVISPROXY-6251: The HTTP Error Handling pattern now supports uploading JSON files.
• NEVISADMV4-8498: Generation now fails when the patterns demand a different servlet-name for the same servlet, instead of silently using the latest value.

Authentication

• NEVISLOG-409: We fixed generic JSON rendering by nevisLogrend.
• NEVISADMV4-8296: We improved the nevisAuth expressions that were generated when using the exact: prefix in Standalone Authentication Flow / Frontend Path(s).
• ⚠️ We renamed several Gui descriptors. If you are using the Gui names in your Login Template, you have to adapt your .vm and.js files:
• NEVISADMV4-8433: The Transform Variables Step now support clearing and removing variables.
• NEVISADMV4-8372: We now support Unit Attributes and Unit Properties in nevisIDM Password Login pattern.
• ⚠️ NEVISADMV4-8369: The nevisIDM Second Factor Selection now supports FIDO2 and recovery code credentials.
  • There is no REST endpoint for OTP credentials, and thus the userDto object is still used for this credential type.
  • We renamed the label method.tan.label to method.mtan.label.
  • We improved the default translations and help texts.
• ⚠️ NEVISIDM-8211: The nevisIDM URL Ticket Consume pattern now shows a GUI with a label and a continue button before validating the ticket.

Identity Management

• NEVISIDM-8139: It is now possible to preload a client into nevisIDM at startup with the new nevisIDM Client pattern.
• NEVISIDM-8120: We reworked the Azure Service Bus pattern, it can mow be used to set the following remote queues with the help of Azure Service Bus Remote Queue pattern(s):

SAML

• NEVISADMV4-8051: We now ensure that automatic signers used by SAML SP Realm or SAML IDP have the correct name in Kubernetes deployments.
• NEVISAUTH-3746: We changed how the SAML IDP dispatches incoming requests.
• NEVISAUTH-3743: We introduced changes to SP Issuer and Audience Restriction of SAML SP Connector.
• NEVISAUTH-3601: We added a setting Custom Transitions to SAML IDP Connector.
  • Use when you have to add or overwrite ResultCond elements in the ServiceProviderState.
  • An example use case is to apply custom error handling.

OAuth / OpenID Connect

• NEVISMETA-1762: We added TLS configuration for nevisMeta Instance pattern with 3 options: requested, required, disabled.
• NEVISMETA-1744: We added a new setting User Info Endpoint to OAuth 2.0 Authorization Server / OpenID Provider.
• NEVISMETA-1750: We added a Terms of Service and Policy display for ConsentState.
• NEVISMETA-1756: We added new advanced settings to the OAuth 2.0 Authorization Server / OpenID Provider:

Mobile authentication

• NEVISADMV4-8471: We removed mauth_include.js..
• NEVISADMV4-8419: We noe use python3 for the startup check of the nevisFIDO Instance pattern.
• NEVISFIDO-1639: We added On Cancel to the Out-of-band Mobile Authentication pattern.
• NEVISADMV4-8364: We fixed the Continue button which is shown in Out-of-band Mobile Authentication, when the authentication is aborted in the mobile app.
• NEVISADMV4-8388: We relaxed validation in mobile authentication patterns. For some cases, a simple info message is shown instead of a warning.

Authentication Cloud

• NEVISADMV4-8471: We removed authcloud_include.js..

FIDO2

• NEVISFIDO-1647: We added experimental patterns for FIDO2.
  • nevisFIDO FIDO2 Instance - It uses the same RPM and Docker image as nevisFIDO Instance but supports FIDO2 use cases only.
  • FIDO2 Authentication
  • FIDO2 Onboarding
  • nevisFIDO FIDO2 Log Settings
  • nevisFIDO FIDO2 Management App - It serves a simple HTML and JavaScript page, which shows how to do registration for FIDO2 WebAuthn. Do not use in production!
  • nevisFIDO FIDO2 REST Service - It exposes the FIDO2 related REST APIs provided by nevisFIDO on a nevisProxy Virtual Host, required by nevisFIDO FIDO2 Management App.
  • For now use Generic Authentication Step to configure FIDO2 WebAuthn authentication.

User behavior analytics

• NEVISDETECT-1510: We added nevisAdapt Logout Connector as a nevisAdapt-related logout step (initiates session termination)
• NEVISDETECT-1536: We added new URL property to nevisAdapt Instance for defining a page redirect after pressing a feedback report link
• NEVISDETECT-1563: We added nevisAuth Instance reference to nevisAdapt Instance to enable reporting untrusted sessions

Patterns 4.15.1 Release Notes - 2022-07-01

Release information

• Build Version: 4.15.1.8

Changes

General

• NEVISADMV4-8312: We removed the invalid warning message “set 'Kubernetes' to 'other_namespace' or clear this property.”

Application protection

• NEVISADMV4-8302: We resolved the warning issue when attempting to remove a no-existing filter-mapping.
• NEVISADMV4-8348: We removed deprecation warning for syslog forwarding for nevisProxy.
• NEVISADMV4-8338: We prevented the error issue when using a variable for Lua Script in Lua HTTP Processing pattern.
• NEVISADMV4-8399: We added the missing reference for trust store / key store to NevisComponent Kubernetes resources when assigning an Automatic Trust Store or Automatic Key Store pattern for the connection to a backend server in SOAP Service, REST Service and Web Application patterns.

Authentication

• NEVISADMV4-8385: ZIP files uploaded to Translations in realm patterns are now unpacked automatically.
• NEVISADMV4-8370: We now support the configuration of Login Type in OATH Authentication pattern.
• NEVISADMV4-8211: We introduced new experimental patterns nevisAuth Database and Managed nevisAuth Database.
• NEVISADMV4-8305: We now support changing the title in User Information pattern.
• NEVISADMV4-8297: We now support expression ${service.postfix} in Groovy Script Step. Use when referring to Kubernetes services deployed by the same project.
• NEVISADMV4-8395: We now support ${var.name} expressions in Condition(s) of Dispatcher Step.

Mobile authentication

• NEVISADMV4-8393: We prevented an exception during generation when assigning a non-automatic Key Store in the nevisIDM Connection tab of a nevisFIDO Instance.
• NEVISADMV4-8398: We fixed the wrong name being referred to when using In-band Mobile Authentication Realm and assigning Automatic Key Store patterns to the nevisFIDO Instance.
• NEVISADMV4-8291: We set max-text-length for transaction-confirmation in nevisFIDO to 2000.
• NEVISADMV4-8400: We ensured that security features are activated for a Web Application running with Frontend Path, and do not block access to REST APIs exposed by Mobile Registration and Mobile Deregistration patterns.

Identity management

• NEVISIDM-8149, NEVISADMV4-8311: We fixed nevisIDM Generic Batch Job pattern to work in combination with nevisIDM 2.85.x.
• NEVISADMV4-8385: ZIP files uploaded to nevisIDM Instance / Custom Resources are now unpacked automatically. Now you can configure a custom facing for which subdirectories are required.

Federation

• NEVISAUTH-3662: We fixed Google/Microsoft Social Login Pattern having wrong first/last name assignment.
• ⚠️ NEVISADMV4-8359: We improved pre-processing hooks in authentication patterns.
  • SAML SP Realm
  • SAML SP Connector
  • OAuth 2.0 Authorization Server / OpenID Provider
• IDC-2074: We fixed automatic user creation / update during Apple Login.

Patterns 4.15.0 Release Notes - 2022-05-18

Release information

• Build Version: 4.15.0.6

Changes

General

• ⚠️ NEVISADMV4-7063: In generated URLs the port is now omitted if it can be deducted from the scheme (e.g. for HTTPS the default port is 443).
• NEVISADMV4-7886: nevisAdmin 4 shows a warning the Nevis docker images used are older than the ones defined in the plugins.
• NEVISADMV4-7771: nevisAdmin 4 is upgraded Groovy to 3.x. The patterns are now compiled against this version.
• NEVISADMV4-8087: We fixed a bug that could result in an invalid PEM being generated when additional trusted certificates were uploaded to an Automatic Trust Store.
• ⚠️ NEVISADMV4-8077: All Generic Log Settings patterns are removed. Change your project configuration to use the high-level Log Settings patterns instead.
• ⚠️ NEVISADMV4-8076: The fields used for Log Levels in Log Settings patterns are aligned. In case you have to adapt your pattern configuration, a message is shown to guide you through the process.
• ⚠️ NEVISADMV4-8076: Log config generation is migrated from Log4J version 1 to Log4J version 2. The following Nevis components are affected:
• ⚠️ NEVISADMV4-8078: The available options for Log Targets in Log Settings patterns are changed.
• ⚠️ NEVISADMV4-8076: The default maximum log file size is aligned. Now all components use 100 MB by default. This means an increase from 10 MB to 100 MB for the following components:
• NEVISADMV4-8101: We fixed a bug in Managed Database patterns, which lead to an error in the DB setup when using variables containing secrets.

Application protection

• NEVISADMV4-8161: We fixed the missing port number in the defaultHost attribute in navajo.xml. The issue occurred when several Virtual Host patterns shared the same Frontend Addresses, and one of these patterns was set as Default Virtual Host in the nevisProxy Instance pattern.
• NEVISPROXY-5987: We added the new settings Session Store Resource and Session Store Access Restriction to the Virtual Host pattern to enable the REST interface for the nevisProxy session stores.
• ⚠️ NEVISPROXY-6145: We improved the nevisProxy patterns to only generate one servlet per web.xml for storing sessions. In addition, the session store servlets now have fixed names:
• NEVISADMV4-8141: The nevisProxy patterns no longer generate SERVER_FDLIMIT, as nevisProxy does not use this instruction since version 4.6.
• NEVISPROXY-6092: We fixed the time interval based log rotation in the nevisProxy Log Settings pattern.
• NEVISPROXY-6073: We added new setting to the Managed MariaDB Remote Session Store pattern called Custom Parameters.

Authentication

• NEVISADMV4-8030: URLs pointing to nevisIDM / nevisMeta instances running outside the Kubernetes cluster no longer get the -web suffix. The suffix is only added, when nevisIDM and nevisMeta run in the same Kubernetes cluster.
• NEVISPROXY-6089: We added a new setting, Forbidden Roles to the Authorization Policy pattern
• NEVISPROXY-6089: We added new settings, Required Roles Mode, Forbidden Roles Mode, and Authentication Level Mode to the Authorization Policy pattern
• ⚠️ NEVISPROXY-6089: The internal property providing the Required Roles of the Authorization Policy pattern is renamed. If you see a text box called “Unknown property: roles” in your Authorization Policy pattern, configure the reported roles or the reported variable in the Required Roles setting. Write one value per line if you set roles directly.
• ⚠️ NEVISPROXY-6089: SecurityRolesFilter generated to enforce mandatory role requirements are now called Authorization_Required_Roles_<roles>_<realm> instead of Authorization_<roles>_<realms>.
• ⚠️ NEVISPROXY-6089: When combining several Authorization Policy patterns for an application, by default the pattern with the most specific mapping overrides the settings of the more general patterns, including the empty values. Empty values were previously ignored. As a consequence, if one of the Required Roles, Forbidden Roles or Authentication Level settings is defined in the most general pattern, but is empty in the most specific one, by default no rule will be enforced for this setting on paths where the specific pattern is mapped.
• NEVISADMV4-7893: We added new settings called Hostname Validation in the nevisAuth Connection and GUI Rendering sections of Realm patterns.
• NEVISADMV4-8023: We improved the help for Template Parameters in Generic Authentication Step.
• NEVISADMV4-8238: When the name of the realm starts with a digit, the name of generated AuthState elements gets a “_” prefix applied to ensure the esauth4.xml complies to the schema.
• NEVISADMV4-8172: We added validation to ensure the SecToken Signer Key Store has a name that is compatible with Kubernetes deployment. This means that the name must end with “Signer”.
• NEVISADMV4-8173: We removed entries for taking heap dumps from the JAVA_OPTS variable found in env.conf of nevisAuth instances.
• NEVISADMV4-8153: We removed ch.nevis.session.jdbc.connector.store.absTo from the env.conf of nevisAuth instances.
• NEVISADMV4-8149: We now use a plain TCP connect check for nevisLogrend readiness endpoint in Kubernetes deployment. This is because the check fails if a HTTPs based check is used, and HTTPs is set to mutual in the nevisLogrend Instance pattern.
• NEVISADMV4-8090: Some patterns add an AuthState to the end of authentication flows.
  • existing tokens are not lost on stepup (required when new tokens are produced).
  • Previously, this logic was part of <realm>_Prepare_Done and thus always executed.
• NEVISADMV4-8009: We improved validation of Groovy scripts for nevisAuth.

Mobile authentication

• NEVISADMV4-8222: We added Generic nevisFIDO Instance Settings pattern. Use this pattern to set JAVA_OPTS.
• NEVISFIDO-1576: For the nevisFIDO Instance, the config key dispatch-target-repository is no longer generated, as the configuration is now taken from the credential-repository key.
• ⚠️ NEVISADMV4-8121: Settings related to logging in the nevisFIDO Instance pattern are moved into a separate nevisFIDO Log Settings pattern.

Identity management

• NEVISADMV4-8174: We added PersistentQueueRetry to the validation of nevisIDM Authorizations.
• ⚠️ NEVISIDM-7872: The nevisIDM Administration GUI pattern enables REST API access by default. As this may conflict with the nevisIDM REST Service pattern, it is mandatory to either manually disable it, or remove the conflicting pattern.
• NEVISIDM-8029: We added new setting to the nevisIDM Password Login pattern called Login Type with a default value of LoginId.
• NEVISADMV4-8101: We fixed the failed validation of nevisIDM Instance / Encryption Key when a secret was used in Kubernetes deployment.
• NEVISIDM-8063: We added a setting SMTP SSL/TLS Mode to the nevisIDM Instance pattern. There are 2 options to choose from: disabled and STARTTLS.
• NEVISADMV4-8196: Do not create a WARNING issue when a variable is used for the JDBC driver in nevisIDM Database Connector pattern during background generation. Variables used to upload files do not have a sample value in the project and thus validation has to be skipped.
• NEVISADMV4-8142: We added settings Regular Expression and Maximum Length to nevisIDM Custom Property.
• NEVISADMV4-8138: We added a new setting Backend Key Store to nevisIDM Administration GUI, nevisIDM SOAP Service and nevisIDM REST Service patterns. Assign a key store pattern if you want to use 2-way TLS between nevisProxy and nevisIDM.
• ⚠️ NEVISADMV4-8126: The IdmPasswordResetState, which is generated by the nevisIDM Password Login pattern when Password Reset is enabled, now shows password policy information.

Federation

• NEVISADMV4-7063: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern can now generate a Metadata Endpoint.
• NEVISADMV4-7063: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern is improved:
  • The new default values are: /oauth2/auth and /oauth2/token.
• IDC-1558: The OAuth 2.0 Authorization Server / OpenID Connect Provider pattern now generates configuration for standard OAuth / OpenID scopes by default.
• NEVISMETA-1735: We added the Generic nevisMeta Instance Settings pattern. Use this pattern to set JAVA_OPTS.
• NEVISADMV4-7653: We added the Generic Social Login Step pattern for common OIDC/OAuth 2 social login use cases. Use this pattern only if the more specific social login step patterns are not applicable.
• NEVISAUTH-3586: The SAML SP Connector pattern now uses the SP Issuer as default for Audience Restriction.
• NEVISAUTH-3575: We added two new settings to the OAuth 2.0 Authorization Server / OpenID Provider pattern to protect the token introspection and token revocation endpoints with Basic Authentication.
• NEVISAUTH-3567: We improved the SAML Binding configuration in the SAML SP Connector pattern.

Patterns 4.14.0 Release Notes - 2022-02-16

Release information

• Build Version: 4.14.0.17

Changes

General

• NEVISADMV4-7906: Changed error message when disabled patterns are assigned for a required reference.
• ⚠️ NEVISADMV4-7765: Generic Log Settings patterns now produce a warning message.
  • The patterns are to be removed in May 2022 in favor of higher-level Log Settings patterns.
  • Contact support if you have a use case that requires these patterns.
• ⚠️ NEVISADMV4-7765: Syslog forwarding is deprecated for all components.
  • Contact support if you have a use case that requires Syslog forwarding.
• ⚠️ NEVISADMV4-7765: The available options for Log Targets in Log Settings patterns are changed.
  • The option file is now called default because in Kubernetes deployments the log is always written to the pod log.
  • The option file + syslog is now called default + syslog for the same reason.
  • If you selected one of the options above you get an error. Select default instead.
• NEVISADMV4-7866: Show an error message when using Generic Deployment in Kubernetes.
  • Generic Deployment is not supported in Kubernetes deployment.
  • Contact support if you have a use case that requires Generic Deployment.
• NEVISADMV4-7840: Generic Instance Settings for Java-based components now support setting all formats of Java properties.
  • Minor differences in sort order are expected.
  • ⚠️ If you use a variable for Java Opts check that the configuration is generated as expected.
• ⚠️NEVISADMV4-7706: Adapted various Log Settings patterns so that assigning them does not lead to an immediate change in the generated log configuration.

Application protection

• NEVISADMV4-7896: The default ModSecurity configuration based on Core Rule Set 3.3.2 now allows the same HTTP methods as the previous release.
  • The HTTP methods are checked by nevisProxy and thus there is no reason to check them in ModSecurity again.
  • The allowed HTTP methods are CHECKOUT, COPY, DELETE, GET, HEAD, LOCK, MERGE, MKACTIVITY, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PATCH, POST, PUT, TRACE, UNLOCK.
• NEVISADMV4-7640: Make NGINX Ingress Settings assignable to Virtual Host.
• NEVISADMV4-7891: Fixed a typo in the VERSION-CONTROL HTTP method.
• NEVISADMV4-7874: Support configuration of Additional HTTP Status Codes for Virtual Host.
• NEVISADMV4-7864: Changed the default for Password Getter in nevisProxy Instance.
  • When recommended is selected a script deployed by nevisAdmin is used which supports all Key Store and Trust Store patterns.
• NEVISADMV4-7827: Allow only *.lua files to be uploaded for Lua Script and Lua Libraries in Lua HTTP Processing.
• NEVISADMV4-7798: The WebSocket Support for Application pattern does not set the parameter KeepAlive.ByClient anymore.
• NEVISADMV4-7858: Added settings for Client Cert Authentication to NGINX Ingress Settings pattern.
• NEVISPROXY-6029: Added new parameter to the RemoteSessionStore pattern called Custom Parameters.
• NEVISADMV4-7936: Fixed NPE in Application Mapping Report.
• NEVISPROXY-6016: The attribute serverAlias of the Connector elements in the navajo.xml file can now be customized using a Generic nevisProxy Instance Settings pattern.
• NEVISADMV4-7812: Added new parameter Mode to the Error Handler pattern, which allows disabling the error handling for the current mapping or some sub-paths.
• ⚠️ NEVISADMV4-7812: When an Error Handler pattern with a sub-paths parameter is added to a Virtual Host, the default error handler of the Virtual Host is now applied to the sub-paths not covered by the attached Error Handler pattern. Previously, the default error handler was disabled as soon as an Error Handler pattern was attached to the Virtual Host. If you want to keep the previous behavior, attach an additional Error Handler pattern with Mode set to disabled to the Virtual Host.

Authentication

• ⚠️ NEVISADMV4-7831: Do not generate Frontend Trust Store when Client Authentication is disabled in nevisAuth Instance patterns.
  • When set to disabled, nevisAuth has to be upgraded to 4.34 or later before deployment.
• ⚠️ NEVISADMV4-7920: Change default of Client Authentication to enabled for nevisAuth Instance.
  • The Frontend Trust Store has to contain the CA certificate which issued the cert of the Client Key Store of associated realm patterns.
• NEVISADMV4-7915: New setting Session Upgrade Flow in Standalone Authentication Flow.
• NEVISADMV4-7826: Refactored startup check for nevisAuth to check if the port is bound only.
  • The previous status check failed when the esauth4sv.log was rotated during startup.
• NEVISADMV4-7910: Support upload of separate text and LitDict files for nevisLogrend and nevisAuth.
  • Set Translation Mode to separate to enable this feature.
  • ⚠️ When Translation Mode is set to “combined” (default) the uploaded files have to be called _labels\_<code>.properties_. Please rename the uploaded files if required.
• NEVISADMV4-7838: Add Log Category for Groovy Script Step.
• NEVISADMV4-7837: Generic Authentication Step now supports adding multiple GuiElem of type submit with the same name as long as the value is different.
  • There are custom AuthState implementations which require such a configuration.
• ⚠️ NEVISADMV4-7836: Detect and prevent changing the LitDict encoding to anything other than UTF-8.
  • A warning message is created when invalid characters are detected.
• NEVISADMV4-7929: New setting Language Cookie Domain in Advanced Settings of Authentication Realm.
• NEVISADMV4-7981: Generic Authentication Step now supports the expression ${var.name} to refer to an existing variable by name.
  • This feature is an alternative to the existing Template Parameters.
  • The feature is experimental as there are some usability constraints:
    • It is not yet possible to create variables in the project directly (without making a pattern property a variable).
    • It is not shown that a variable is used inside the generic configuration.

Mobile authentication

• NEVISADMV4-7627: Added new Android biometric authenticator AAID for Android to nevisFIDO Instance pattern default Policy and Metadata.

User behavior analytics

• NEVISDETECT-1477: Set the session end date by default to the maximum session lifetime to make sure it is never empty.
• NEVISDETECT-1483: New configuration to support the MaxMind IP geolocation database.
• NEVISDETECT-1486: Possibility to configure a new authentication step to handle if timeout occurs.
• NEVISDETECT-1473: Fix the generated configuration to correctly mark the observations as trusted at the end of an authentication flow in case of a successful authentication.
• NEVISDETECT-1498: In case of using risk profile configurations setting at least one threshold is mandatory from now on.
• NEVISDETECT-1493: Fixed the failed case in the TAN patterns to be able to react on if somebody failed to provide the correct code and reached the maximum threshold.
• NEVISDETECT-1495: Improved the help texts for the risk event configurations.
• NEVISDETECT-1502: Fixed the file name for log rotation to match the UNIX standards.

Identity management

• ⚠️ NEVISIDM-7694: Encryption settings are now exposed in nevisIDM Instance.
  • From now on the Encryption Key has to be set.
  • The database should be checked for encrypted content to determine if Encryption Fallback has to be enabled.
    • encrypted properties:
      • select * from tidma_property where encrypted \= 1;
    • unused URL tickets:
      • select * from tidma_credential where CREDENTIAL_TYPE_ID = 14 and STATE_ID = 2;
• NEVISADMV4-7824: New nevisIDM URL Ticket Consume pattern.
  • Use for custom flows which require a link sent to the email address of the user.
  • This pattern establishes an endpoint on a Virtual Host where URL Tickets can be validated. On success the next authentication step is executed.
• IDC-1264: Added additional settings to nevisIDM Property pattern.
  • This pattern is experimental and not feature-complete.
  • If you have a property that cannot be generated, contact support.
• NEVISADMV4-7843: Do not restart nevisIDM Instance when log levels are changed.
  • nevisIDM is configured to check for log level changes every 60 seconds.
  • One restart is still required to activate the polling.
  • This does not apply to Generic nevisIDM Log Settings. When this pattern is used, nevisIDM is still restarted.
• NEVISADMV4-7834: Ensure tmp folder inside nevisIDM instance is not deleted on deployment.
  • Removal of the tmp folder during runtime can lead to outages.
• NEVISDP-328: Allow the upload of multiple Custom JAR Files files for nevisDataPorter Instance.
• NEVISDP-329: The nevisDataPorter Instance now has a tab nevisIDM Connection where you can set a Trust Store and Key Store to establish a 2-way TLS connection.
  • Check the documentation on how to use these stores in your Configuration.
• NEVISADMV4-7928: Support custom redirects during or after Password Reset in nevisIDM Password Login pattern.
• NEVISADMV4-7927: New setting URL Ticket Policy Name for password reset process in nevisIDM Password Login pattern.
• ⚠️ NEVISADMV4-5588: The setting Enabled SOAP WebService Versions in nevisIDM Instance is removed.
  • This setting was not working in recent releases.
  • Use Generic nevisIDM Instance Settings to set the property webservice.versions instead.

Federation

• IDC-1273: The SAML SP Connector now has a new setting Multi Value.
  • When enabled, multiple AttributeValue elements are generated for attributes containing comma- or space-separated Strings.
  • For backward compatibility, the default is disabled.
• NEVISADMV4-7743: New OAuth 2.0 Authorization Server / OpenID Provider pattern.
  • This pattern is still in development and will change significantly in subsequent releases.
  • Consider this to be a preview. Use at your own risk!
• NEVISADMV4-7878: nevisAuth fixed a bug related to the setting SP URL - Single Logout Service in the SAML SP Connector pattern. Upgrade to the latest nevisAuth release.
• NEVISADMV4-7979: Social Login Pattens use the next step correctly when create new user failed.

Patterns 4.13.1 Release Notes - 2021-12-03

Release information

• Build Version: 4.13.1.1

How to Install and Use the Plug-Ins

This version is not supported anymore and cannot be downloaded. Upgrade to a newer version.

Changes

General

• FIXED: The setting Default Log Level in "Log Settings" patterns now also changes the priority of the root logger.

Application Protection

• NEW: Added experimental Default Service pattern. Use this pattern to map filters to paths when there is no backend, no hosted resources, or authentication flow.
• FIXED: The HTTP Header Customization pattern now allows using constant values for Basic Auth User and Basic Auth Password. Previously you have to add the CONST: prefix as a workaround.

Authentication

• CHANGED: The setting Translations in realm pattern now allows uploading UTF-8 encoded files. Previously only ASCII files with HTML-encoded special characters were supported.
• FIXED: Ensure Email TAN and Mobile TAN patterns take the On Failure exit when all attempts are exhausted.

Patterns 4.13.0 Release Notes - 2021-11-17

Release information

• Build Version: 4.13.0.13

How to Install and Use the Plug-Ins

This version is not supported anymore and cannot be downloaded. Upgrade to a newer version.

Changes

General

• We do not generate the info issue "Some host addresses do not include port, calculating port based on scheme." anymore.
• A thread-safety issue which can make the generation fail when automatic key management is used has been fixed.
• A chmod to automatic key management scripts to fix a permission issue which occurs in combination with certain versions of openssl has been added.

Application Protection

• NEW: Support for the assignment of multiple Virtual Host patterns in application patterns was added.
• NEW: We added the property "Database Schema Check" to the "nevisProxy MariaDB Remote Session Store" pattern. When enabled, nevisProxy verifies that the database schema and integrity constraints match the requirements of the Remote Session Store at startup. This check is disabled for "Managed nevisProxy Remote Session Store" patterns.
• UPDATED: The "compatible" configuration for the "Frontend TLS Settings" of Virtual Hosts was updated. Refer to the pattern help for the new values.
• UPDATED: Blank fields in "TLS Settings" patterns assigned to a Virtual Host will be now be replaced by the corresponding "recommended" value. The "compatible" value was previously applied.
• UPDATED: We upgraded the default ModSecurity CRS version to 3.3.2 and introduced new property "OWASP ModSecurity CRS version" to the "Virtual Host" pattern to choose CRS version. The new default matches the OWASP recommended configuration, therefore it uses anomaly mode and response body check is enabled. If previously custom CRS was configured, the "custom" option has to be selected.
• UPDATED: The nevisProxy status script for classic VM deployment was improved.
• UPDATED: Generic Application Settings now support the expression ${host.key} which may be used for EntryPointID when declaring a custom IdentityCreationFilter or to point to configuration files within the docBase of the host.
• FIXED: An exception in the Application Mapping Report which made report generation fail was fixed.
• FIXED: We fixed an issue where a Virtual Host could have Frontend TLS Settings set to recommended or compatible and have a TLS Settings pattern assigned at the same time.
  • Now assigning a TLS Settings pattern requires setting Frontend TLS Settings to custom.

Authentication

• NEW: We now have support for additional algorithms to the JWT Token pattern.
• NEW: We now create a WARN issue when multiple files per language are uploaded for Labels in the authentication realm patterns.
• FIXED: A bug in the generation of SectokenVerifierCert when using multiple realm patterns with different configuration for Internal SecToken Trust Store was fixed.

Federation

• NEW: An optional configuration On User Creation Failed in social login patterns was added.
• NEW: We added configuration options to SAML SP Realm and SAML IDP patterns to support logout using SOAP-binding.
• UPDATED: We improved the error handling when social login provider returns an error.

Identity Management

• UPDATED: CSRF protection for nevisIDM was updated.
• NEW: New experimental patterns for the configuration of nevisIDM batch jobs were added.
• NEW: New experimental patterns for the configuration of nevisDataPorter were added.
• CHANGED: Oracle JDBC drivers uploaded in nevisIDM Instance pattern now also get deployed for nevisidmdb.

Monitoring

• As announced in Components Removed from the Rolling Releases as of November 2021, patterns to set up an ELK stack on the nevisAppliance are removed.